Make an appointment

Privacy Policy

Introduction 

With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to simply as “data”) we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the course of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”).
The terms used are not gender-specific.
Status: 14 January 2023

Legal text by Dr. Schwenke. Click for more information.

Table of contents
Controller

wasserfasten.net
Dominik Mikulaschek
Holzwurmweg 5
4040 Linz
Authorized representatives: Dominik Mikulaschek
Email address: info@wasserfasten.net
Telephone: +43 650 8120848

Overview of processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects concerned.

Types of data processed
  • Master data.
  • Contact data.
  • Content data.
  • Usage data.
  • Meta/communication data.
  • Applicant data.
  • Event data (Facebook).
Categories of data subjects
  • Customers.
  • Employees.
  • Interested parties.
  • Communication partners.
  • Users.
  • Applicants.
Purposes of processing
  • Provision of contractual services and customer service.
  • Contact requests and communication.
  • Security measures.
  • Direct marketing.
  • Reach measurement.
  • Tracking.
  • Office and organizational procedures.
  • Remarketing.
  • Conversion measurement.
  • Audience building.
  • Administration and answering of inquiries.
  • Application procedure.
  • Feedback.
  • Marketing.
  • Profiles with user-related information.
  • Audience building.
  • Provision of our online offering and user-friendliness.
  • Information technology infrastructure.
Relevant legal bases

Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the GDPR, national data protection provisions may apply in your or our country of residence or establishment. If more specific legal bases apply in individual cases, we will inform you of these in this privacy policy.

  • Consent (Art. 6(1) sentence 1 lit. a GDPR) The data subject has given consent to the processing of personal data concerning them for one or more specific purposes.
  • Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR) Processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
  • Application procedure as a pre-contractual or contractual relationship (Art. 6(1) lit. b GDPR) Where, within the application procedure, special categories of personal data within the meaning of Art. 9(1) GDPR (e.g. health data, such as severe disability status or ethnic origin) are requested from applicants so that the controller or the data subject can exercise rights arising under employment law and social security and social protection law and fulfill the relevant obligations, processing is carried out under Art. 9(2) lit. b GDPR, in the case of protection of vital interests of the applicants or other persons under Art. 9(2) lit. c GDPR, or for purposes of preventive health care or occupational medicine, assessment of the employee’s working capacity, medical diagnosis, provision of health or social care or treatment, or management of systems and services in the health or social sector under Art. 9(2) lit. h GDPR. In the case of voluntary disclosure of special categories of data based on consent, processing is carried out on the basis of Art. 9(2) lit. a GDPR.

In addition to the data protection rules of the GDPR, national data protection rules apply in Austria. This includes, in particular, the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act, DSG). The Data Protection Act includes, in particular, special provisions on the right of access, the right to rectification or deletion, the processing of special categories of personal data, processing for other purposes, transfers, and automated decision-making in individual cases.

Security measures

In accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances and purposes of processing, as well as the varying likelihood and severity of risk to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access to, input, disclosure, ensuring availability of and separation of the data. Furthermore, we have established procedures to ensure the exercise of data subject rights, deletion of data, and responses to threats to the data. We also take the protection of personal data into account already in the development and selection of hardware, software and procedures in accordance with the principle of data protection by design and by default.
TLS encryption (https): To protect data you transmit via our online offering, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in your browser’s address bar.

Transfer of personal data

As part of our processing of personal data, it may happen that the data is transferred to other parties, companies, legally independent organizational units or persons, or disclosed to them. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.
Data transfer within the organization: We may transfer personal data to other departments within our organization or grant them access to this data. If this transfer is for administrative purposes, it is based on our legitimate business and economic interests or takes place if it is necessary to fulfill our contractual obligations, or if the data subject has given consent or a legal permission exists.

Data processing in third countries

If we process data in a third country, meaning outside the European Union (EU) or the European Economic Area (EEA), or if processing takes place in the context of using third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with legal requirements.
Subject to explicit consent or contractually or legally required transfer, we only process or have data processed in third countries with a recognized level of data protection, on the basis of contractual obligations through so-called standard contractual clauses of the EU Commission, where certifications exist, or on the basis of binding internal data protection rules (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Deletion of data

We delete the data we process in accordance with legal requirements as soon as the consents permitting processing are revoked or other permissions no longer apply (e.g. if the purpose of processing no longer applies or the data is no longer required for that purpose). If the data is not deleted because it is required for other legally permissible purposes, its processing is restricted to these purposes. This means the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons, or whose storage is necessary for the assertion, exercise or defense of legal claims or to protect the rights of another natural or legal person.
Our privacy notices may also contain further information on the retention and deletion of data that takes precedence for the respective processing activities.

Use of cookies

Cookies are small text files or other stored records that store information on end devices and read information from end devices. For example, to store the login status in a user account, the contents of a shopping cart in an e-commerce shop, the content accessed or functions used in an online offering. Cookies can also be used for various purposes, for example for functionality, security and convenience of online offerings and for creating analyses of visitor flows.
Notes on consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users unless this is not required by law. Consent is not necessary, in particular, if storing and reading information, including cookies, is strictly necessary in order to provide users with a telemedia service expressly requested by them (that is our online offering). Revocable consent is clearly communicated to users and includes information about the respective cookie use.
Notes on data protection legal bases: The data protection legal basis on which we process users’ personal data with the help of cookies depends on whether we ask users for consent. If users consent, the legal basis for processing their data is their declared consent. Otherwise, the data processed with the help of cookies is processed on the basis of our legitimate interests (e.g. in the economic operation of our online offering and improving its usability), or if it is carried out in the course of fulfilling our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. We explain the purposes for which we process cookies in the course of this privacy policy or as part of our consent and processing processes.
Storage duration: With regard to the storage duration, the following types of cookies are distinguished:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g. browser or mobile application).
  • Persistent cookies: Persistent cookies remain stored even after the device is closed. For example, the login status can be saved or preferred content displayed directly when the user visits a website again. Likewise, the user data collected with the help of cookies can be used for reach measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies are persistent and that the storage duration can be up to two years.

General notes on withdrawal and objection (opt-out): Users can withdraw their consent at any time and also object to processing in accordance with the legal requirements of Art. 21 GDPR. Users can also declare their objection via their browser settings, for example by disabling the use of cookies, although this may restrict the functionality of our online services. An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

  • Types of data processed: Meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness.
  • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures and services:

  • Processing of cookie data on the basis of consent: We use a cookie consent management procedure within which users’ consent to the use of cookies, and to the processing operations and providers named within the cookie consent management procedure, can be obtained, managed and withdrawn by users. The consent declaration is stored so that it does not have to be requested again and so that consent can be proven in accordance with legal obligations. Storage can take place on the server and or in a cookie (so-called opt-in cookie) or using comparable technologies in order to assign consent to a user or their device. Subject to individual information about the providers of cookie management services, the following notes apply: The duration of storage of consent can be up to two years. A pseudonymous user identifier is created and stored together with the time of consent, details about the scope of consent (e.g. which categories of cookies and or service providers), as well as the browser, system and device used.
  • Real Cookie Banner: Cookie consent management. Service provider: devowl.io GmbH, Tannet 12, 94539 Grafling, Germany. Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Website: https://devowl.io/de/wordpress-real-cookie-banner/. Privacy policy: https://devowl.io/de/datenschutzerklaerung/.
Provision of the online offering and web hosting

We process users’ data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

  • Types of data processed: Usage data (e.g. websites visited, interest in content, access times). Meta/communication data (e.g. device information, IP addresses). Content data (e.g. entries in online forms).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness. Information technology infrastructure (operation and provision of information systems and technical devices such as computers, servers). Security measures.
  • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures and services:

  • Provision of the online offering on rented storage space: To provide our online offering, we use storage space, computing capacity and software that we rent from or otherwise obtain from a corresponding server provider (also called a “web host”). Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
  • Collection of access data and log files: Access to our online offering is logged in the form of so-called server log files. Server log files may include the address and name of the accessed web pages and files, date and time of access, amount of data transferred, message about successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files can be used, on the one hand, for security purposes, for example to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks), and on the other hand, to ensure server utilization and stability. Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained for evidence purposes is excluded from deletion until the respective incident has been finally clarified.
  • Email sending and hosting: The web hosting services we use also include sending, receiving and storing emails. For these purposes, the addresses of recipients and senders as well as further information relating to email dispatch (e.g. the providers involved) and the contents of the respective emails are processed. The above data may also be processed for purposes of spam detection. Please note that emails on the internet are generally not sent in encrypted form. As a rule, emails are encrypted during transport, but unless end-to-end encryption is used, they are not encrypted on the servers from which they are sent and received. We therefore cannot take responsibility for the transmission path of emails between the sender and receipt on our server. Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
  • Content delivery network: We use a content delivery network (CDN). A CDN is a service with which content of an online offering, in particular large media files such as graphics or program scripts, can be delivered faster and more securely using regionally distributed servers connected via the internet. Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
  • DomainFactory: Services in the field of providing information technology infrastructure and related services (e.g. storage space and or computing capacity). Service provider: domainfactory GmbH, Oskar-Messter-Str. 33, 85737 Ismaning, Germany. Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Website: https://www.df.eu. Privacy policy: https://www.df.eu/de/datenschutz. Data processing agreement: https://www.df.eu/de/support/formulare/.
  • NitroPack: Content delivery network (CDN). Service that delivers content of an online offering, in particular large media files such as graphics or program scripts, faster and more securely using regionally distributed servers connected via the internet. Service provider: NitroPack IO, LLC., 3 “Professor Georgi Bradistilov, Studentski Kompleks, Sofia, postcode 1756, Bulgaria. Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Website: https://nitropack.io. Privacy policy: https://nitropack.io/page/privacy.
Blogs and publication media

We use blogs or comparable means of online communication and publication (hereinafter “publication medium”). Readers’ data is processed for the purposes of the publication medium only insofar as it is necessary for its presentation and for communication between authors and readers, or for security reasons. Otherwise, we refer to the information on the processing of visitors to our publication medium within the scope of these privacy notices.

  • Types of data processed: Master data (e.g. names, addresses). Contact data (e.g. email, phone numbers). Content data (e.g. entries in online forms). Usage data (e.g. websites visited, interest in content, access times). Meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of contractual services and customer service. Feedback (e.g. collecting feedback via an online form). Provision of our online offering and user-friendliness.
  • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
Contact and inquiry management

When contacting us (e.g. via contact form, email, telephone or via social media) and within the scope of existing user and business relationships, the information provided by the inquiring persons is processed insofar as this is necessary to respond to the contact inquiries and any requested measures.

  • Types of data processed: Contact data (e.g. email, phone numbers). Content data (e.g. entries in online forms). Usage data (e.g. websites visited, interest in content, access times). Meta/communication data (e.g. device information, IP addresses). Master data (e.g. names, addresses).
  • Data subjects: Communication partners.
  • Purposes of processing: Contact requests and communication. Administration and answering of inquiries. Feedback (e.g. collecting feedback via an online form). Provision of our online offering and user-friendliness.
  • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR).

Further information on processing operations, procedures and services:

  • Contact form: If users contact us via our contact form, email or other communication channels, we process the data provided to us in this context to handle the request. Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
  • LiveChat: Chatbot and support software and related services. Service provider: LiveChat Inc., One International Place, Suite 1400 Boston, Massachusetts 02110, USA. Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Website: https://www.livechatinc.com/de. Privacy policy: https://www.livechatinc.com/legal/privacy-policy/.
Chatbots and chat functions

We offer online chats and chatbot functions as a means of communication (collectively referred to as “chat services”). A chat is an online conversation conducted with a certain degree of immediacy. A chatbot is software that answers users’ questions or informs them via messages. If you use our chat functions, we may process your personal data.
If you use our chat services within an online platform, your identification number within the respective platform will also be stored. We may also collect information about which users interact with our chat services and when. We also store the content of your conversations via the chat services and log registration and consent processes in order to be able to provide proof in accordance with legal requirements.
We inform users that the respective platform provider may determine that and when users communicate with our chat services, and may collect technical information about users’ devices and, depending on their device settings, location information (so-called metadata) for purposes of optimizing the respective services and for security purposes. Likewise, the metadata of communication via chat services (for example, information about who communicated with whom) could be used by the respective platform providers, in accordance with their provisions, to which we refer for further information, for marketing purposes or to display advertising tailored to users.
If users agree to activate information via regular messages with a chatbot, they can unsubscribe from the information at any time for the future. The chatbot informs users how and with which terms they can unsubscribe from the messages. When users unsubscribe from chatbot messages, the users’ data will be deleted from the directory of message recipients.
We use the aforementioned information to operate our chat services, for example to address users personally, answer their inquiries, provide requested content, and improve our chat services (for example, to “teach” chatbots answers to frequently asked questions or to identify unanswered inquiries).
Notes on legal bases: We use chat services on the basis of consent if we have previously obtained users’ permission to process their data within the scope of our chat services (this applies in cases where users are asked for consent, for example so that a chatbot can send them regular messages). If we use chat services to answer user inquiries about our services or our company, this serves contractual and pre-contractual communication. Otherwise, we use chat services on the basis of our legitimate interests in optimizing chat services, their economic operation, and improving the user experience.
Withdrawal, objection and deletion: You can withdraw consent at any time or object to the processing of your data within the scope of our chat services.

  • Types of data processed: Contact data (e.g. email, phone numbers). Content data (e.g. entries in online forms). Usage data (e.g. websites visited, interest in content, access times). Meta/communication data (e.g. device information, IP addresses). Master data (e.g. names, addresses).
  • Data subjects: Communication partners.
  • Purposes of processing: Contact requests and communication. Direct marketing (e.g. by email or post). Administration and answering of inquiries.
  • Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures and services:

Application procedure

The application procedure requires applicants to provide us with the data necessary for their assessment and selection. Which information is required results from the job description or, in the case of online forms, from the information provided there.
In principle, the required information includes personal details such as name, address, a contact option, as well as evidence of qualifications necessary for a position. Upon request, we will also be happy to inform you which information is required.
If provided, applicants can submit their applications to us using an online form. Data is transmitted to us encrypted in accordance with the state of the art. Applicants can also send their applications to us by email. However, please note that emails on the internet are generally not sent in encrypted form. As a rule, emails are encrypted during transport, but not on the servers from which they are sent and received. We therefore cannot take responsibility for the transmission path of the application between the sender and receipt on our server.
For the purposes of applicant search, submission of applications and selection of applicants, we may use applicant management or recruitment software and platforms and services from third-party providers, in compliance with legal requirements.
Applicants are welcome to contact us regarding the type of submission of the application, or to send us the application by post.
Processing of special categories of data: Where, within the application procedure, special categories of personal data within the meaning of Art. 9(1) GDPR (e.g. health data, such as severe disability status or ethnic origin) are requested from applicants so that the controller or the data subject can exercise rights arising under employment law and social security and social protection law and fulfill the relevant obligations, processing is carried out under Art. 9(2) lit. b GDPR, in the case of protection of vital interests of the applicants or other persons under Art. 9(2) lit. c GDPR, or for purposes of preventive health care or occupational medicine, assessment of the employee’s working capacity, medical diagnosis, provision of health or social care or treatment, or management of systems and services in the health or social sector under Art. 9(2) lit. h GDPR. In the case of voluntary disclosure of special categories of data based on consent, processing is carried out on the basis of Art. 9(2) lit. a GDPR.
Deletion of data: The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a job offer is unsuccessful, the applicants’ data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Deletion takes place, subject to a justified withdrawal by the applicants, at the latest after a period of six months so that we can answer any follow-up questions about the application and fulfill our documentation obligations under equal treatment rules for applicants. Invoices for any travel expense reimbursement are archived in accordance with tax law requirements.
Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, takes place on the basis of consent. Applicants are informed that their consent to inclusion in the talent pool is voluntary, has no influence on the ongoing application procedure, and they can withdraw their consent at any time for the future.

  • Types of data processed: Master data (e.g. names, addresses). Contact data (e.g. email, phone numbers). Content data (e.g. entries in online forms). Applicant data (e.g. personal details, postal and contact addresses, application documents and the information contained therein, such as cover letter, CV, certificates, and further information related to a specific position or voluntarily provided by applicants regarding their person or qualifications). Usage data (e.g. websites visited, interest in content, access times). Meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Applicants. Communication partners.
  • Purposes of processing: Application procedure (establishment and any later implementation as well as possible later termination of the employment relationship). Contact requests and communication. Administration and answering of inquiries.
  • Legal bases: Application procedure as a pre-contractual or contractual relationship (Art. 6(1) lit. b GDPR). Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures and services:

  • Contact form: If users contact us via our contact form, email or other communication channels, we process the data provided to us in this context to handle the request. Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
Cloud services

We use software services accessible via the internet and executed on the servers of their providers (so-called “cloud services”, also referred to as “software as a service”) for storing and managing content (e.g. document storage and management, exchange of documents, content and information with specific recipients, or publication of content and information).
In this context, personal data may be processed and stored on the providers’ servers insofar as it is part of communication processes with us or otherwise processed by us, as described in this privacy policy. This data may include, in particular, master data and contact data of users, data on transactions, contracts, other processes and their content. The providers of the cloud services also process usage data and metadata, which they use for security purposes and service optimization.
If we make forms or other documents and content available for other users or publicly accessible websites with the help of cloud services, the providers may store cookies on users’ devices for purposes of web analysis or to remember user settings (e.g. in the case of media control).

  • Types of data processed: Master data (e.g. names, addresses). Contact data (e.g. email, phone numbers). Content data (e.g. entries in online forms). Usage data (e.g. websites visited, interest in content, access times). Meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Customers. Employees (e.g. employees, applicants, former employees). Interested parties. Communication partners. Users (e.g. website visitors, users of online services).
  • Purposes of processing: Office and organizational procedures. Information technology infrastructure (operation and provision of information systems and technical devices such as computers, servers). Provision of our online offering and user-friendliness.
  • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures and services:

  • NitroPack: Content delivery network (CDN). Service that delivers content of an online offering, in particular large media files such as graphics or program scripts, faster and more securely using regionally distributed servers connected via the internet. Service provider: NitroPack IO, LLC., 3 “Professor Georgi Bradistilov, Studentski Kompleks, Sofia, postcode 1756, Bulgaria. Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Website: https://nitropack.io. Privacy policy: https://nitropack.io/page/privacy.
Web analytics, monitoring and optimization

Web analytics (also referred to as “reach measurement”) serves to evaluate visitor flows of our online offering and can include behavior, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognize at what time our online offering or its functions or content are used most frequently or invite reuse. We can also track which areas need optimization.
In addition to web analytics, we can also use testing procedures, for example to test and optimize different versions of our online offering or its components.
Unless otherwise stated below, for these purposes profiles, meaning data combined for a usage process, may be created and information stored in a browser or on a device and read from it. The collected information includes, in particular, visited websites and elements used there, as well as technical information such as the browser used, the computer system used, and information on usage times. If users have consented to the collection of their location data vis-a-vis us or vis-a-vis the providers of the services we use, location data may also be processed.
Users’ IP addresses are also stored. However, we use an IP masking procedure, meaning pseudonymization by shortening the IP address, to protect users. In general, no clear data of users (such as email addresses or names) is stored within the scope of web analytics, A/B testing and optimization, but pseudonyms. This means that we and the providers of the software used do not know the actual identity of users, but only the information stored in their profiles for the purposes of the respective procedures.

  • Types of data processed: Usage data (e.g. websites visited, interest in content, access times). Meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Remarketing. Audience building (determination of audiences relevant for marketing purposes or other output of content). Reach measurement (e.g. access statistics, recognition of returning visitors). Profiles with user-related information (creation of user profiles). Tracking (e.g. interest and behavior-based profiling, use of cookies). Provision of our online offering and user-friendliness.
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR).

Further information on processing operations, procedures and services:

Online marketing

We process personal data for purposes of online marketing, which includes in particular the marketing of advertising space or the display of advertising and other content (collectively referred to as “content”) based on users’ potential interests and measuring its effectiveness.
For these purposes, so-called user profiles are created and stored in a file (a “cookie”) or similar methods are used by which information relevant for the display of the aforementioned content is stored about the user. This information may include, for example, content viewed, websites visited, online networks used, but also communication partners and technical information such as the browser used, the computer system used, as well as information on usage times and functions used. If users have consented to the collection of their location data, this may also be processed.
Users’ IP addresses are also stored. However, we use available IP masking procedures, meaning pseudonymization by shortening the IP address, to protect users. In general, no clear data of users (such as email addresses or names) is stored within the scope of online marketing procedures, but pseudonyms. This means that we and the providers of the online marketing procedures do not know the actual identity of users, but only the information stored in their profiles.
The information in the profiles is usually stored in cookies or by similar methods. These cookies can later generally also be read on other websites that use the same online marketing procedure, analyzed for purposes of displaying content, and supplemented with further data and stored on the server of the online marketing procedure provider.
In exceptional cases, clear data can be assigned to the profiles. This is the case, for example, if users are members of a social network whose online marketing procedure we use and the network links users’ profiles with the aforementioned information. Please note that users may make additional agreements with the providers, for example by giving consent during registration.
As a rule, we only receive access to aggregated information about the success of our ads. However, within the scope of so-called conversion measurement, we can check which of our online marketing procedures led to a so-called conversion, meaning, for example, the conclusion of a contract with us. Conversion measurement is used solely to analyze the success of our marketing measures.
Unless otherwise stated, please assume that cookies used are stored for a period of two years.

  • Types of data processed: Content data (e.g. entries in online forms). Usage data (e.g. websites visited, interest in content, access times). Meta/communication data (e.g. device information, IP addresses). Event data (Facebook) (“event data” is data that may be transmitted by us to Facebook via the Facebook pixel (via apps or other means) and relates to persons or their actions. This includes, for example, information about visits to websites, interactions with content, functions, installations of apps, purchases of products, etc. Event data is processed for the purpose of forming audiences for content and advertising information (custom audiences). Event data does not include the actual content (such as comments), login information, or contact information (names, email addresses, phone numbers). Event data is deleted by Facebook after a maximum of two years, and the audiences created from it are deleted when our Facebook account is deleted).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors). Tracking (e.g. interest and behavior-based profiling, use of cookies). Conversion measurement (measurement of the effectiveness of marketing measures). Audience building. Marketing. Profiles with user-related information (creation of user profiles). Audience building (determination of audiences relevant for marketing purposes or other output of content). Provision of our online offering and user-friendliness.
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR).
  • Opt-out option: We refer to the privacy notices of the respective providers and the opt-out options specified for the providers. If no explicit opt-out option has been specified, you can, for one thing, disable cookies in your browser settings. This may restrict functions of our online offering. We therefore additionally recommend the following opt-out options, which are offered in summary for the respective regions: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-region: https://optout.aboutads.info.

Further information on processing operations, procedures and services:

  • Facebook Pixel and audience building (custom audiences): With the help of the Facebook pixel (or comparable functions for transmitting event data or contact information via interfaces in apps), Facebook is able to determine visitors to our online offering as a target group for the display of ads (so-called Facebook ads). Accordingly, we use the Facebook pixel to show the Facebook ads placed by us only to those users on Facebook and within the services of Facebook’s cooperating partners (so-called Audience Network https://www.facebook.com/audiencenetwork/) who have shown an interest in our online offering or who have certain characteristics (e.g. interest in certain topics or products, which can be inferred from visited websites) that we transmit to Facebook (so-called custom audiences). With the help of the Facebook pixel, we also want to ensure that our Facebook ads correspond to users’ potential interests and do not appear intrusive. With the help of the Facebook pixel, we can also track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called conversion measurement). Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). Website: https://www.facebook.com. Privacy policy: https://www.facebook.com/about/privacy. More information: Users’ event data, meaning behavior and interest information, is processed for purposes of targeted advertising and audience building on the basis of the joint controllership agreement (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular includes the transfer of the data to the parent company Meta Platforms, Inc. in the USA (on the basis of standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • Google Ads and conversion measurement: We use the online marketing procedure “Google Ads” to place ads in the Google advertising network (e.g. in search results, in videos, on websites, etc.) so that they are shown to users who presumably have an interest in the ads (so-called conversion). We also measure the conversion of the ads. However, we only learn the anonymous total number of users who clicked on our ad and were redirected to a page tagged with a so-called conversion tracking tag. We do not receive any information that could identify users. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). Website: https://marketingplatform.google.com. Privacy policy: https://policies.google.com/privacy. More information: https://privacy.google.com/businesses/adsservices. Terms for controller data processing and standard contractual clauses for third-country transfers: https://business.safety.google/adscontrollerterms.
  • LinkedIn: Insights tag and conversion measurement. Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland. Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). Website: https://www.linkedin.com. Privacy policy: https://www.linkedin.com/legal/privacy-policy, cookie policy: https://www.linkedin.com/legal/cookie_policy. Standard contractual clauses: https://legal.linkedin.com/dpa. Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Presences in social networks (social media)

We maintain online presences within social networks and, in this context, process users’ data in order to communicate with users active there or to offer information about us.
We point out that users’ data may be processed outside the European Union. This can create risks for users, for example because the enforcement of users’ rights could be more difficult.
Furthermore, users’ data within social networks is generally processed for market research and advertising purposes. For example, usage profiles can be created based on users’ usage behavior and interests. The usage profiles can in turn be used, for example, to place ads within and outside the networks that presumably match users’ interests. For these purposes, cookies are generally stored on users’ computers, in which users’ usage behavior and interests are stored. Furthermore, data can also be stored in the usage profiles independently of the devices used by users, especially if users are members of the respective platforms and are logged in there.
For a detailed presentation of the respective forms of processing and the opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.
Also in the case of information requests and the assertion of data subject rights, we point out that these can be most effectively asserted with the providers. Only the providers have access to users’ data and can directly take appropriate measures and provide information. If you still need help, you can contact us.

  • Types of data processed: Contact data (e.g. email, phone numbers). Content data (e.g. entries in online forms). Usage data (e.g. websites visited, interest in content, access times). Meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Contact requests and communication. Feedback (e.g. collecting feedback via an online form). Marketing.
  • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures and services:

Plugins and embedded functions and content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos or city maps (collectively referred to as “content”).
Integration always requires that the third-party providers of this content process the users’ IP address, since they could not send the content to users’ browsers without the IP address. The IP address is therefore required for displaying this content or functions. We strive to use only such content whose respective providers use the IP address solely for delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as web beacons) for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on users’ devices and may include technical information about the browser and operating system, referring websites, time of visit, and further information about the use of our online offering, and may also be combined with such information from other sources.

  • Types of data processed: Usage data (e.g. websites visited, interest in content, access times). Meta/communication data (e.g. device information, IP addresses). Master data (e.g. names, addresses). Contact data (e.g. email, phone numbers). Content data (e.g. entries in online forms).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness.
  • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures and services:

  • Google Fonts (loaded from Google servers): Provision of fonts (and symbols) for technically secure, maintenance-free and efficient use of fonts and symbols with regard to up-to-dateness and loading times, uniform display and consideration of possible licensing restrictions. The user’s IP address is communicated to the font provider so that the fonts can be made available in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) is transmitted, which is necessary for providing fonts depending on the devices used and the technical environment. This data may be processed on a server of the font provider in the USA. When visiting our online offering, users’ browsers send their browser HTTP requests to the Google Fonts web API (a software interface for retrieving the fonts). The Google Fonts web API provides users with the cascading style sheets (CSS) of Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of website visitors, as well as the referrer URL (the website on which the Google font is to be displayed). IP addresses are not logged or stored on Google servers and are not analyzed. The Google Fonts web API logs details of the HTTP requests (requested URL, user agent and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so that Google can determine how often a particular font family is requested. With the Google Fonts web API, the user agent must customize the font that is generated for the respective browser type. The user agent is primarily logged for debugging and used to generate aggregated usage statistics that measure the popularity of font families. These aggregated usage statistics are published on the Google Fonts “Analytics” page. Finally, the referrer URL is logged so that the data can be used for production maintenance and an aggregated report of top integrations can be generated based on the number of font requests. According to Google, Google does not use any of the information collected by Google Fonts to create profiles of end users or to serve targeted ads. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Website: https://fonts.google.com/. Privacy policy: https://policies.google.com/privacy. More information: https://developers.google.com/fonts/faq/privacy?hl=de.
  • YouTube videos: Video content. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Website: https://www.youtube.com. Privacy policy: https://policies.google.com/privacy. Opt-out: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, ad settings: https://adssettings.google.com/authenticated.
Changes and updates to the privacy policy

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require your involvement (e.g. consent) or other individual notification.
If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time and please verify the information before contacting them.

Rights of data subjects

As data subjects, you have various rights under the GDPR, which result in particular from Art. 15 to 21 GDPR:

  • Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6(1) lit. e or f GDPR. This also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising. This also applies to profiling insofar as it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw consent at any time.
  • Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to access this data as well as further information and a copy of the data in accordance with legal requirements.
  • Right to rectification: In accordance with legal requirements, you have the right to request the completion of data concerning you or the correction of inaccurate data concerning you.
  • Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be deleted without undue delay or, alternatively, to request restriction of the processing of the data in accordance with legal requirements.
  • Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format, or to request its transfer to another controller, in accordance with legal requirements.
  • Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.