de_DE
de_DE en_GB

Privacy Policy

Preamble

With the following privacy policy, we aim to inform you about the types of your personal data (hereinafter referred to as “data”) that we process, for which purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both within the scope of providing our services and, in particular, on our websites, in mobile applications, as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as “Online Offer”).
The terms used are not gender-specific.
As of: September 9, 2024

Table of Contents

  • Preamble
  • Data Controller
  • Overview of Processing Activities
  • Relevant Legal Basis
  • Security Measures
  • Transfer of Personal Data
  • International Data Transfers
  • General Information on Data Retention and Deletion
  • Rights of Data Subjects
  • Provision of the Online Offer and Web Hosting
  • Use of Cookies
  • Blogs and Publication Media
  • Contact and Inquiry Management
  • Web Analysis, Monitoring, and Optimization
  • Plug-ins and Embedded Functions as well as Content

Data Controller

Overview of Data Processing Activities

Franziska Kiele
Alte Breisacher Straße 9
79112 Freiburg, Germany

E-Mail: FranziskaKieleAThotmailDOTde

The following overview summarizes the types of data processed, the purposes of their processing, and references the categories of data subjects.

Types of Processed Data

  • Inventory data
  • Contact data
  • Content data
  • Usage data
  • Meta, communication, and procedural data
  • Log data

Categories of Data Subjects

  • Communication partners
  • Users

Purposes of Processing

  • Communication
  • Security measures
  • Audience measurement
  • Organizational and administrative procedures
  • Feedback
  • Profiles with user-related information
  • Provision of our Online Offer and user-friendliness
  • IT infrastructure

Relevant Legal Basis

Relevant legal basis under the GDPR: Below you will find an overview of the legal grounds of the GDPR on which we base the processing of personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence. If other, more specific legal grounds are applicable in individual cases, we will inform you of these within this privacy policy.

  • Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given their consent to the processing of personal data concerning them for one or more specific purposes.

  • Performance of contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) – The processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures that are taken at the data subject’s request.

  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – The processing is necessary to protect the legitimate interests of the controller or a third party, provided that these interests are not overridden by the interests, fundamental rights, or freedoms of the data subject that require protection of personal data.

National Data Protection Regulations in Germany

In addition to the data protection regulations of the GDPR, national regulations on data protection in Germany apply. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and data transfers as well as automated decision-making in individual cases, including profiling. Furthermore, the data protection laws of individual federal states may apply.

Note on the Applicability of the GDPR and the Swiss Data Protection Act (DSG)

This privacy policy serves both to provide information in accordance with the Swiss Data Protection Act (DSG) as well as the General Data Protection Regulation (GDPR). For clarity and due to broader geographic application, the terms of the GDPR are used. Specifically, instead of the terms “processing” of “personal data,” “overriding interest,” and “particularly sensitive personal data” used in the Swiss DSG, the corresponding terms from the GDPR are applied. However, the legal meaning of these terms remains defined by the Swiss DSG where applicable.

Security Measures

We take appropriate technical and organizational measures in accordance with the legal requirements, considering the state of the art, the costs of implementation, the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as controlling access to, input into, transmission of, ensuring availability of, and separation of the data. We also have procedures in place to ensure the exercise of data subject rights, the deletion of data, and responses to data breaches. Furthermore, we consider the protection of personal data already in the development or selection of hardware, software, and procedures according to the principle of data protection through technology design and privacy-friendly default settings.

Securing Online Connections via TLS/SSL Encryption Technology (HTTPS)

To protect the data of users transmitted through our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transferred between the website or app and the user’s browser (or between two servers), thus safeguarding the data from unauthorized access. TLS, as the evolved and more secure version of SSL, ensures that all data transmissions meet the highest security standards. A website secured by an SSL/TLS certificate is indicated by the presence of HTTPS in the URL, signaling to users that their data is being transmitted securely and encrypted.

Transmission of Personal Data

In the course of processing personal data, it may occur that such data is transferred to other entities, companies, legally independent organizational units, or individuals, or disclosed to them. Recipients of this data may include, for example, service providers tasked with IT-related duties or providers of services and content embedded within a website. In such cases, we adhere to legal requirements and, in particular, conclude the necessary agreements or contracts that protect your data with the recipients of your data.

International Data Transfers

Data Processing in Third Countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or the processing occurs through the use of services from third parties or the disclosure or transmission of data to other persons, entities, or companies, this will only take place in compliance with the legal requirements. Where the level of data protection in the third country has been recognized through an adequacy decision (Art. 45 GDPR), this forms the basis for the data transfer. Otherwise, data transfers will only occur if the data protection level is ensured by other means, particularly through standard contractual clauses (Art. 46 para. 2(c) GDPR), explicit consent, or in cases of contractual or legally required transmissions (Art. 49 para. 1 GDPR). Furthermore, we inform you about the legal basis of third-country transmissions for each individual provider from a third country, with adequacy decisions being given priority. Information on third-country transfers and existing adequacy decisions can be found on the EU Commission’s website: EU Commission – International Dimension of Data Protection.

EU-US Trans-Atlantic Data Privacy Framework: Under the so-called “Data Privacy Framework” (DPF), the European Commission has recognized the data protection level for certain U.S. companies as adequate in accordance with the adequacy decision of July 10, 2023. The list of certified companies and further information about the DPF can be found on the U.S. Department of Commerce’s website at Data Privacy Framework. We inform you in our privacy notices which service providers we use that are certified under the Data Privacy Framework.

General Information on Data Retention and Deletion

We delete personal data we process in accordance with legal requirements once the underlying consent is revoked or there are no other legal grounds for processing. This includes instances where the original purpose of processing no longer applies or the data is no longer needed. Exceptions to this rule exist when legal obligations or special interests necessitate longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax reasons, or whose storage is necessary for legal prosecution or the protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices provide additional information on the retention and deletion of data specific to certain processing activities.
Where multiple retention periods or deletion deadlines are provided for a given data set, the longest period shall always apply.

If a deadline does not explicitly begin on a specific date and is at least one year in length, it automatically starts at the end of the calendar year in which the event triggering the deadline occurred. In the case of ongoing contractual relationships in which data is stored, the triggering event is the date the termination becomes effective or other cessation of the legal relationship.

Data that is no longer needed for the original purpose but is retained due to legal requirements or other reasons is processed solely for the reasons justifying its retention.

Further Information on Processing Activities, Procedures, and Services:

Data Retention and Deletion: The following general retention periods apply under German law:

  • 10 years: Retention of books and records, financial statements, inventories, management reports, opening balance sheets, and other organizational documents necessary for understanding these records, as well as booking records and invoices (§ 147 para. 3 in conjunction with para. 1 nos. 1, 4 and 4a AO, § 14b para. 1 UStG, § 257 para. 1 nos. 1 and 4, para. 4 HGB).

  • 6 years: Other business documents: received commercial or business letters, copies of sent commercial or business letters, and other documents relevant for taxation, such as payroll slips, operating statements, calculation documents, price tags, as well as payroll accounting documents, provided they are not already booking records and cash register tapes (§ 147 para. 3 in conjunction with para. 1 nos. 2, 3, 5 AO, § 257 para. 1 nos. 2 and 3, para. 4 HGB).

  • 3 years: Data required to consider potential warranty and damage compensation claims or similar contractual claims and rights, as well as associated inquiries, are retained for the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have several rights under the GDPR, particularly those outlined in Articles 15 to 21 GDPR:

  • Right to Object: You have the right to object at any time to the processing of personal data concerning you based on Article 6 para. 1 lit. e or f GDPR, including profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes, including profiling related to such direct marketing.

  • Right to Withdraw Consent: You have the right to withdraw your consent at any time.

  • Right of Access: You have the right to request confirmation as to whether your data is being processed and to obtain information about this data as well as further details and a copy of the data in accordance with legal requirements.

  • Right to Rectification: You have the right, in accordance with legal requirements, to request the completion or correction of data concerning you.

  • Right to Erasure and Restriction of Processing: You have the right, under legal provisions, to request the immediate deletion of your data, or alternatively, to request the restriction of the processing of the data in accordance with legal requirements.

  • Right to Data Portability: You have the right to receive the data you provided to us in a structured, commonly used, and machine-readable format or to request the transfer of this data to another controller, in accordance with legal requirements.

  • Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or the place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

This legal translation keeps the technical and formal aspects intact while adhering to the style typically used in legal texts.

Provision of the Online Offer and Web Hosting

We process user data to provide our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

  • Types of processed data:
    • Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions)
    • Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons)
    • Log data (e.g., log files concerning logins or data retrieval or access times)

  • Affected persons: Users (e.g., website visitors, online service users)

  • Purposes of processing:
    • Provision of our online offer and user-friendliness
    • IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.))
    • Security measures

  • Storage and deletion: Deletion according to the information in the section “General Information on Data Storage and Deletion.”

  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)

Further Notes on Processing Processes, Procedures, and Services:

  • Collection of Access Data and Log Files: Access to our online offer is logged in the form of so-called “server log files.” Server log files may include the address and name of the retrieved websites and files, date and time of retrieval, transferred data volumes, notification of successful retrieval, browser type and version, user’s operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files can be used for security purposes, for example, to prevent server overload (especially in cases of abusive attacks, so-called DDoS attacks), and to ensure server load and stability; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

  • Deletion of Data: Logfile information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidentiary purposes is exempt from deletion until the incident is fully clarified.

Use of Cookies

Cookies are small text files or other storage notes that store and retrieve information on devices. For example, to store the login status in a user account, contents of a shopping cart in an online shop, the accessed content, or functions used in an online offer. Cookies can also be used for various purposes, such as functionality, security, and convenience of online offers, as well as for analyzing visitor traffic.


Notes on Consent: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless it is not required by law. Permission is particularly not necessary if the storage and retrieval of information, including cookies, are absolutely necessary to provide users with a telemedia service expressly requested by them (i.e., our online offer). The revocable consent is communicated clearly and contains information about the respective cookie usage.


Notes on Data Protection Legal Bases: The legal basis on which we process users’ personal data using cookies depends on whether we request their consent. If users agree, the legal basis for processing their data is the stated consent. Otherwise, the data processed through cookies is processed based on our legitimate interests (e.g., in the operational business of our online offer and the improvement of its usability) or if it is necessary to fulfill our contractual obligations when the use of cookies is required to meet our contractual obligations. We clarify the purposes for which cookies are processed during this privacy policy or within our consent and processing processes.

Storage Duration: Regarding the storage duration, the following types of cookies are distinguished:

  • Temporary Cookies (also: Session Cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their device (e.g., browser or mobile application).

  • Permanent Cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be stored, and preferred content can be displayed directly when the user revisits a website. Additionally, user data collected through cookies may be used for reach measurement. If we do not provide users with explicit information about the type and storage duration of cookies (e.g., during the acquisition of consent), they should assume that these are permanent and that the storage duration may last up to two years.

General Notes on Withdrawal and Objection (Opt-Out): Users can revoke any consent they have given at any time and also express an objection to processing according to legal provisions, including via their browser’s privacy settings.

  • Types of Processed Data: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons)
     
  • Affected Persons: Users (e.g., website visitors, online service users)

  • Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); consent (Art. 6 para. 1 sentence 1 lit. a GDPR)

Further Notes on Processing Processes, Procedures, and Services:

  • Processing of Cookie Data Based on Consent: We use a consent management solution where user consent for the use of cookies or for the procedures and providers mentioned in the consent management solution is obtained. This procedure serves to obtain, log, manage, and revoke consents, particularly concerning the use of cookies and similar technologies used to store, read, and process information on users’ devices. Within this procedure, user consents for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management process, are obtained. Users also have the option to manage and revoke their consents. Consent statements are stored to avoid repeated queries and to provide evidence of consent according to legal requirements. Storage is done server-side and/or in a cookie (so-called opt-in cookie) or through similar technologies to assign the consent to a specific user or their device. If there are no specific details about the providers of consent management services, the following general notes apply: The duration of consent storage is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, details of the scope of consent (e.g., relevant categories of cookies and/or service providers), as well as information about the browser, system, and device used; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Provision of the Online Offer and Web Hosting

We process user data to provide our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

  • Types of Processed Data: Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); log data (e.g., log files concerning logins or data retrieval or access times).

  • Affected Persons: Users (e.g., website visitors, online service users).

  • Purposes of Processing: Provision of our online offer and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures.

  • Storage and Deletion: Deletion according to the information in the section “General Information on Data Storage and Deletion.”

  • Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further Notes on Processing Processes, Procedures, and Services:

  • Collection of Access Data and Log Files: Access to our online offer is logged in the form of so-called “server log files.” Server log files may include the address and name of the retrieved websites and files, date and time of retrieval, transferred data volumes, notification of successful retrieval, browser type and version, user’s operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files can be used for security purposes, for example, to prevent server overload (especially in cases of abusive attacks, so-called DDoS attacks), and to ensure server load and stability; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

  • Deletion of Data: Logfile information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidentiary purposes is exempt from deletion until the incident is fully clarified.

Use of Cookies

Cookies are small text files or other storage notes that store and retrieve information on devices. For example, to store the login status in a user account, contents of a shopping cart in an online shop, the accessed content, or functions used in an online offer. Cookies can also be used for various purposes, such as functionality, security, and convenience of online offers, as well as for analyzing visitor traffic.


Notes on Consent: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless it is not required by law. Permission is particularly not necessary if the storage and retrieval of information, including cookies, are absolutely necessary to provide users with a telemedia service expressly requested by them (i.e., our online offer). The revocable consent is communicated clearly and contains information about the respective cookie usage.


Notes on Data Protection Legal Bases: The legal basis on which we process users’ personal data using cookies depends on whether we request their consent. If users agree, the legal basis for processing their data is the stated consent. Otherwise, the data processed through cookies is processed based on our legitimate interests (e.g., in the operational business of our online offer and the improvement of its usability) or if it is necessary to fulfill our contractual obligations when the use of cookies is required to meet our contractual obligations. We clarify the purposes for which cookies are processed during this privacy policy or within our consent and processing processes.

Storage Duration: Regarding the storage duration, the following types of cookies are distinguished:

  • Temporary Cookies (also: Session Cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their device (e.g., browser or mobile application).

  • Permanent Cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be stored, and preferred content can be displayed directly when the user revisits a website. Additionally, user data collected through cookies may be used for reach measurement. If we do not provide users with explicit information about the type and storage duration of cookies (e.g., during the acquisition of consent), they should assume that these are permanent and that the storage duration may last up to two years.

General Notes on Withdrawal and Objection (Opt-Out): Users can revoke any consent they have given at any time and also express an objection to processing according to legal provisions, including via their browser’s privacy settings.

  • Types of Processed Data: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

  • Affected Persons: Users (e.g., website visitors, online service users).

  • Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Further Notes on Processing Processes, Procedures, and Services:

  • Processing of Cookie Data Based on Consent: We use a consent management solution where user consent for the use of cookies or for the procedures and providers mentioned in the consent management solution is obtained. This procedure serves to obtain, log, manage, and revoke consents, particularly concerning the use of cookies and similar technologies used to store, read, and process information on users’ devices. Within this procedure, user consents for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management process, are obtained. Users also have the option to manage and revoke their consents. Consent statements are stored to avoid repeated queries and to provide evidence of consent according to legal requirements. Storage is done server-side and/or in a cookie (so-called opt-in cookie) or through similar technologies to assign the consent to a specific user or their device. If there are no specific details about the providers of consent management services, the following general notes apply: The duration of consent storage is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, details of the scope of consent (e.g., relevant categories of cookies and/or service providers), as well as information about the browser, system, and device used; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Plugins and Embedded Functions as well as Content

We integrate functional and content elements into our online services that are sourced from the servers of their respective providers (hereinafter referred to as “Third Parties”). These may include, for example, graphics, videos, or city maps (hereinafter uniformly referred to as “Content”).


The integration always requires that the third parties of this content process the users’ IP addresses, as they would not be able to send the content to the users’ browsers without the IP address. Therefore, the IP address is necessary for the display of this content or functions. We strive to use only those contents whose respective providers apply the IP address solely for the delivery of the content. Third parties may also use so-called pixel tags (invisible graphics, also referred to as “Web Beacons”) for statistical or marketing purposes. Through the “pixel tags,” information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information can also be stored in cookies on the users’ devices and may include technical details about the browser and operating system, referring websites, visit times, as well as other details about the use of our online services, and can also be connected with such information from other sources.


Notes on Legal Bases: If we ask users for their consent to use third-party services, the legal basis for data processing is consent. Otherwise, user data will be processed based on our legitimate interests (i.e., the interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

  • Processed Data Types: Usage data (e.g., page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties).

  • Affected Persons: Users (e.g., website visitors, users of online services).

  • Purposes of Processing: Provision of our online services and user-friendliness.

  • Storage and Deletion: Deletion according to the information in the section “General Information on Data Storage and Deletion.” Storage of cookies for up to 2 years (unless otherwise specified, cookies and similar storage methods may be stored on users’ devices for a period of two years).

  • Legal Bases: Consent (Art. 6 (1) sentence 1 lit. a GDPR); legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).

Further Notes on Processing Procedures, Methods, and Services:

Integration of Third-Party Software, Scripts, or Frameworks (e.g., jQuery): We integrate software into our online services that we retrieve from the servers of other providers (e.g., functional libraries that we use for the presentation or user-friendliness of our online services). In doing so, the respective providers collect the users’ IP addresses and may process them for the purposes of transmitting the software to the users’ browsers, as well as for security, evaluation, and optimization of their services; Legal bases: Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).