Privacy Policy

Preamble

With the following Privacy Policy, we would like to inform you about the types of your personal data (hereinafter also referred to simply as "data") that we process, the purposes for which we process them, and the extent of such processing. This Privacy Policy applies to all processing of personal data carried out by us, both in the course of providing our services and, in particular, on our websites, mobile applications, and external online presences, such as our social media profiles (hereinafter collectively referred to as the "Online Services").

The terminology used in this Privacy Policy is gender-neutral.

Last updated: 13 June 2026

Table of Contents

• Preamble
• Controller
• Overview of Processing Activities
• Applicable Legal Bases
• Security Measures
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Business Services
• Payment Procedures
• Provision of the Online Services and Web Hosting
• Use of Cookies
• Registration, Login, and User Accounts
• Single Sign-On
• Contact and Inquiry Management
• Newsletters and Electronic Notifications
• Promotional Communications via Email, Mail, Fax, or Telephone
• Sweepstakes and Competitions
• Web Analytics, Monitoring, and Optimization
• Online Marketing
• Affiliate Programs
• Customer Reviews and Rating Procedures
• Social Media Presences
• Plugins and Embedded Functions and Content
• Privacy Information for Whistleblowers
• Amendments and Updates
• Definitions

Controller

Stefan Fischnaller
Sole Proprietor
Mentlgasse 5
6020 Innsbruck
Austria

Email: info@postexpert.de

Legal Notice (Imprint): https://www.postexpert.de/de/impressum

Overview of Processing Activities

The following overview summarizes the categories of personal data processed, the purposes of processing, and the categories of data subjects affected.

Categories of Personal Data Processed

• Master data
• Employee data
• Payment data
• Contact data
• Content data
• Contract data
• Usage data
• Metadata, communication data, and procedural data
• Event data (Facebook)
• Log data

Categories of Data Subjects

• Customers and clients
• Employees
• Prospective customers
• Communication partners
• Users
• Participants in sweepstakes and competitions
• Business and contractual partners
• Third parties
• Whistleblowers

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations
• Communication
• Security measures
• Direct marketing
• Reach measurement
• Tracking
• Office and organizational procedures
• Conversion measurement
• Audience creation
• Affiliate tracking
• Organizational and administrative procedures
• Conducting sweepstakes and competitions
• Feedback
• Marketing
• User-related profiles
• Registration procedures
• Provision and user-friendliness of our Online Services
• Information technology infrastructure
• Whistleblower protection
• Public relations
• Sales promotion
• Business processes and commercial operations

Applicable Legal Bases

Applicable Legal Bases under the GDPR

Below you will find an overview of the legal bases under the General Data Protection Regulation (GDPR) on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your country of residence or in the country where we are established. Where more specific legal bases apply in individual cases, we will inform you of these in this Privacy Policy.

• Consent (Article 6(1)(a) GDPR): The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a Contract and Pre-Contractual Requests (Article 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal Obligation (Article 6(1)(c) GDPR): Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate Interests (Article 6(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data.

National Data Protection Regulations in Austria

In addition to the GDPR, national data protection legislation applies in Austria. This includes, in particular, the Austrian Data Protection Act (Datenschutzgesetz – DSG). The Austrian Data Protection Act contains specific provisions relating, among other things, to the right of access, the right to rectification and erasure, the processing of special categories of personal data, processing for other purposes, data transfers, and automated decision-making in individual cases.

Security Measures

Taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with applicable legal requirements.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to data, as well as access to, input, disclosure, availability, and separation of data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of personal data, and appropriate responses to data security incidents. We also consider the protection of personal data during the development or selection of hardware, software, and processing procedures in accordance with the principles of data protection by design and data protection by default.

Protection of Online Connections באמצעות TLS/SSL Encryption (HTTPS)

To protect user data transmitted through our Online Services against unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the fundamental technologies for secure data transmission over the Internet. These technologies encrypt the information exchanged between a website or application and the user's browser (or between two servers), thereby protecting the data against unauthorized access. TLS, as the more advanced and secure successor to SSL, ensures that all transmitted data meets the highest security standards. If a website is secured by an SSL/TLS certificate, this is indicated by the use of HTTPS in the website address (URL), informing users that their data is transmitted securely and in encrypted form.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with applicable legal requirements as soon as the underlying consent is withdrawn or no other legal basis for processing exists. This applies where the original purpose of processing no longer applies or the data is no longer required.

Exceptions to this rule apply where statutory obligations or legitimate interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law purposes, or whose storage is necessary for the establishment, exercise, or defense of legal claims, or for the protection of the rights of other natural or legal persons, must be archived accordingly.

Our Privacy Policy contains additional information on the retention and deletion of data that applies specifically to individual processing activities.

Where multiple retention periods or deletion deadlines apply to a specific category of data, the longest applicable period shall prevail.

Where data is retained solely due to statutory obligations or other legitimate reasons after the original processing purpose has ceased, such data will only be processed for the purposes that justify its continued retention.

Data Retention and Deletion

The following general retention periods apply under Austrian law where the retention or archiving of personal data is required to comply with legal obligations or safeguard legitimate interests:

• 7 years: Personal data processed in connection with tax-relevant business records is retained for seven years pursuant to Section 132 of the Austrian Federal Fiscal Code (BAO) and Sections 190–212 of the Austrian Commercial Code (UGB). This includes, in particular, accounting records, annual financial statements, inventories, management reports, opening balance sheets, accounting documents, invoices, incoming and outgoing business correspondence, and other documents relevant for tax assessment. The retention period begins at the end of the calendar year in which the last entry was made and may be extended for as long as the documents remain relevant to pending tax proceedings.
• 3 years: Data required for the establishment, exercise, or defense of warranty claims, claims for damages, or other contractual claims is retained for the duration of the applicable statutory limitation period. As a rule, this period is three years pursuant to Section 1489 of the Austrian Civil Code (ABGB), unless longer statutory retention obligations apply.

Commencement of Retention Periods

Unless a retention period expressly begins on a specific date and is at least one year in length, it shall automatically commence at the end of the calendar year in which the event triggering the retention period occurred. In the case of ongoing contractual relationships during which personal data is stored, the triggering event is the effective date of termination or any other end of the legal relationship.

Rights of Data Subjects

Under the GDPR, you have the following rights as a data subject, in particular pursuant to Articles 15 to 21 GDPR:

• Right to Object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. Where your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes, including profiling insofar as it is related to such direct marketing.
• Right to Withdraw Consent: You have the right to withdraw your consent at any time with effect for the future.
• Right of Access: You have the right to obtain confirmation as to whether personal data concerning you is being processed and, where that is the case, to access such data together with further information and a copy of the personal data in accordance with applicable legal requirements.
• Right to Rectification: You have the right to request the correction of inaccurate personal data concerning you and the completion of incomplete personal data.
• Right to Erasure and Restriction of Processing: You have the right, subject to the applicable legal requirements, to request the immediate deletion of your personal data or, alternatively, the restriction of its processing.
• Right to Data Portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format or to request that such data be transmitted to another controller where technically feasible.
• Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

Business Services

We process the personal data of our contractual and business partners, such as customers, clients, prospective customers, suppliers, and other cooperation partners (collectively referred to as "Contractual Partners"), for the purpose of initiating, performing, and managing contractual relationships and comparable legal relationships. This also includes pre-contractual measures taken at the request of the data subject, as well as communication relating to the respective contractual relationship.

Processing is carried out primarily for the purpose of fulfilling our contractual primary and ancillary obligations. This includes the provision of the agreed services, any update and information obligations, the handling of warranty claims and other service disruptions, the processing of withdrawals, the termination of continuing obligations, contract reversals, refunds, and the handling of other contract-related declarations and inquiries. This applies to both one-time contracts and ongoing contractual relationships.

In particular, we process master data such as names, addresses, and, where applicable, company names; contact details such as email addresses and telephone numbers; contract and service-related data such as the subject matter and duration of the contract, order or transaction numbers, usage and performance data; payment and billing information; as well as communication content and communication history. Where necessary, we also process data disclosed or transmitted to us in connection with the performance of a contract.

Furthermore, we process personal data for the protection of our legal rights and to comply with legal obligations. This includes, in particular, obligations under commercial and tax law relating to record retention, documentation requirements, and, where applicable, obligations to provide evidence and accountability. Processing is also carried out on the basis of our legitimate interests in maintaining proper business management, internal administration, risk management, IT security, and protecting our business operations and our contractual partners against misuse, threats to data, confidential information, and other legally protected interests. This may also include the involvement of external service providers such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax advisors, legal advisors, and other subcontractors, where this is necessary for the performance of the contract or to comply with legal obligations.

Personal data will only be disclosed to third parties where this is necessary for the performance of the contract, the implementation of pre-contractual measures, the protection of legitimate interests, or compliance with legal obligations. Any processing beyond these purposes, particularly for marketing purposes, is explained separately in this Privacy Policy.

We inform our Contractual Partners which data is required in each individual case during the data collection process, for example through corresponding markings in online forms or during personal communication.

Personal data is deleted as soon as it is no longer required for the purposes described above, provided that no statutory retention obligations prevent its deletion. Statutory retention periods, particularly those under commercial and tax law, may require longer storage. Data transmitted to us in connection with a specific order will be deleted after completion of the order and expiry of any applicable statutory retention periods, unless further legal or contractual obligations require continued storage.

The legal basis for this processing is Article 6(1)(b) GDPR for the implementation of pre-contractual measures and the performance of contractual relationships, Article 6(1)(c) GDPR for compliance with legal obligations, and, where processing is based on legitimate interests, Article 6(1)(f) GDPR.

Where processing is based on Article 6(1)(f) GDPR, it serves our legitimate interests in maintaining an efficient and legally compliant business organization, internal administration and documentation of business transactions, the establishment, exercise, or defense of legal claims, ensuring IT and data security, preventing misuse and fraud, and managing and developing our business operations. These interests exist in particular to ensure secure and legally compliant business operations and to safeguard our entrepreneurial freedom of action.

Categories of Personal Data Processed

• Master data (e.g. full name, residential address, contact information, customer number)
• Payment data (e.g. bank account details, invoices, payment history)
• Contact data (e.g. postal addresses, email addresses, telephone numbers)
• Contract data (e.g. subject matter of the contract, contract term, customer category)
• Usage data (e.g. page views, session duration, click paths, usage frequency and intensity, device types, operating systems, interactions with content and functions)
• Metadata, communication data, and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons)

Categories of Data Subjects

• Customers and clients
• Prospective customers
• Business and contractual partners

Purposes of Processing and Legitimate Interests

• Provision of contractual services and fulfillment of contractual obligations
• Security measures
• Communication
• Office and organizational procedures
• Organizational and administrative procedures
• Business processes and commercial operations

Retention and Deletion

Personal data is deleted in accordance with the provisions set out in the section "General Information on Data Storage and Deletion."

Legal Bases

• Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR)
• Compliance with legal obligations (Article 6(1)(c) GDPR)
• Legitimate interests (Article 6(1)(f) GDPR)

Additional Information on Processing Activities, Procedures, and Services

Online Shop, Order Forms, E-Commerce, and Performance of Services

We process our customers' personal data in order to enable them to select, purchase, and order our products, goods, and related services, as well as to facilitate payment, delivery, or performance thereof.

Where necessary for the fulfillment of an order, we engage service providers, particularly postal services, freight carriers, and shipping companies, to carry out delivery or performance of the ordered products or services. We use banks and payment service providers to process payment transactions.

The information required for processing an order is clearly identified during the ordering or comparable purchasing process and includes all information necessary for delivery, provision of the services, billing, and contact details required for any necessary communication.

Legal Basis: Article 6(1)(b) GDPR (Performance of a Contract and Pre-Contractual Measures).

Payment Procedures

Within the framework of contractual and other legal relationships, to comply with legal obligations, or on the basis of our legitimate interests, we provide data subjects with efficient and secure payment options. For this purpose, we use banks, credit institutions, and other payment service providers (collectively referred to as "Payment Service Providers").

Payment transactions are carried out exclusively through encrypted connections in accordance with the current state of the art, ensuring that the data entered during transmission is protected against unauthorized access.

The data processed by Payment Service Providers includes master data such as names and addresses, banking information such as account or credit card numbers, passwords, TANs, security codes, contract-related information, transaction amounts, and recipient information. This information is necessary to process payment transactions.

However, the entered data is processed and stored exclusively by the respective Payment Service Providers. We do not receive any account or credit card information; instead, we receive only information confirming or declining the payment.

In certain cases, Payment Service Providers may transmit data to credit reference agencies for identity verification and creditworthiness assessments. For further information, please refer to the respective Payment Service Provider's Terms and Conditions and Privacy Policy.

Payment transactions are governed by the Terms and Conditions and Privacy Policies of the respective Payment Service Providers, which are available on their respective websites or within the payment applications. We also refer you to these documents for further information and for exercising rights of withdrawal, access, and other data subject rights.

Categories of Personal Data Processed

• Master data
• Payment data
• Contract data
• Usage data
• Metadata, communication data, and procedural data
• Contact data

Categories of Data Subjects

• Customers and clients
• Business and contractual partners
• Prospective customers

Purposes of Processing and Legitimate Interests

• Provision of contractual services and fulfillment of contractual obligations
• Business processes and commercial operations

Retention and Deletion

Personal data is deleted in accordance with the provisions set out in the section "General Information on Data Storage and Deletion."

Legal Bases

• Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR)
• Legitimate interests (Article 6(1)(f) GDPR)

Payment Service Providers

Apple Pay

Payment services (technical integration of online payment methods).

• Service Provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA
• Legal Basis: Article 6(1)(b) GDPR (Performance of a Contract and Pre-Contractual Measures)

Website: https://www.apple.com/apple-pay/

Privacy Policy: https://www.apple.com/legal/privacy/

Google Pay

Payment services (technical integration of online payment methods).

• Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
• Legal Basis: Article 6(1)(b) GDPR (Performance of a Contract and Pre-Contractual Measures)

Website: https://pay.google.com/

Privacy Policy: https://business.safety.google/privacy/

Mastercard

Payment services (technical integration of online payment methods).

• Service Provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium
• Legal Basis: Article 6(1)(b) GDPR (Performance of a Contract and Pre-Contractual Measures)

Website: https://www.mastercard.com/

Privacy Policy: https://www.mastercard.com/privacy-and-cookies/

PayPal

Payment services (technical integration of online payment methods, including PayPal, PayPal Plus, and Braintree).

• Service Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg
• Legal Basis: Article 6(1)(b) GDPR (Performance of a Contract and Pre-Contractual Measures)

Website: https://www.paypal.com/

Privacy Policy: https://www.paypal.com/privacy

Stripe

Payment services (technical integration of online payment methods).

• Service Provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA
• Legal Basis: Article 6(1)(b) GDPR (Performance of a Contract and Pre-Contractual Measures)

Website: https://stripe.com/

Privacy Policy: https://stripe.com/privacy

Basis for transfers to third countries: EU-U.S. Data Privacy Framework (DPF).

Visa

Payment services (technical integration of online payment methods).

• Service Provider: Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, United Kingdom
• Legal Basis: Article 6(1)(b) GDPR (Performance of a Contract and Pre-Contractual Measures)

Website: https://www.visa.com/

Privacy Policy: https://www.visa.com/privacy

Provision of the Online Services and Web Hosting

We process users' personal data in order to provide our Online Services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functionality of our Online Services to the user's browser or device.

Categories of Personal Data Processed

• Usage data (e.g. page views, session duration, click paths, usage frequency and intensity, device types, operating systems, interactions with content and functions)
• Metadata, communication data, and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons)
• Log data (e.g. server log files relating to logins, data retrieval, or access times)
• Content data (e.g. text or image-based messages and posts, together with related information such as authorship or creation date)

Categories of Data Subjects

• Users (e.g. website visitors and users of online services)

Purposes of Processing and Legitimate Interests

• Provision of our Online Services and user-friendliness
• Information technology infrastructure (operation and provision of information systems and technical equipment such as computers and servers)
• Security measures

Retention and Deletion

Personal data is deleted in accordance with the provisions set out in the section "General Information on Data Storage and Deletion."

Legal Basis

• Legitimate interests (Article 6(1)(f) GDPR)

Additional Information on Processing Activities, Procedures, and Services

Hosting of the Online Services

To provide our Online Services, we use storage space, computing capacity, and software that we rent or otherwise obtain from a hosting provider ("web host").

Legal Basis: Article 6(1)(f) GDPR (Legitimate Interests).

Collection of Access Data and Server Log Files

Access to our Online Services is recorded in so-called server log files. These server log files may include:

• The address and name of the requested web pages and files
• Date and time of access
• Volume of data transferred
• Confirmation of successful retrieval
• Browser type and version
• User operating system
• Referrer URL (previously visited page)
• IP address
• Requesting Internet service provider

Server log files are used for security purposes, for example to prevent server overload (particularly in the event of malicious attacks such as DDoS attacks), and to ensure the stability and reliable operation of our servers.

Legal Basis: Article 6(1)(f) GDPR (Legitimate Interests).

Retention Period: Log file information is stored for a maximum of 30 days and is then deleted or anonymized. Data that must be retained for evidentiary purposes is excluded from deletion until the respective incident has been finally resolved.

Email Transmission and Hosting

Our web hosting services also include the sending, receiving, and storage of emails. For these purposes, recipient and sender addresses, information relating to the email transmission (such as the providers involved), and the content of the respective emails are processed.

The above-mentioned data may also be processed to detect spam.

Please note that emails sent over the Internet are generally not encrypted end-to-end. While emails are usually encrypted during transmission, they are generally not encrypted on the sending and receiving mail servers unless end-to-end encryption is used. Consequently, we cannot assume responsibility for the transmission path of emails between the sender and our mail server.

Legal Basis: Article 6(1)(f) GDPR (Legitimate Interests).

Content Delivery Network (CDN)

We use a Content Delivery Network (CDN). A CDN is a service that enables the faster and more secure delivery of content from our Online Services—particularly large media files such as images and scripts—through geographically distributed servers connected via the Internet.

Legal Basis: Article 6(1)(f) GDPR (Legitimate Interests).

Use of Cookies

The term "cookies" refers to technologies that store information on users' devices and retrieve information from those devices.

Cookies may be used for various purposes, including ensuring the functionality, security, and convenience of Online Services, as well as generating analyses of visitor traffic.

We use cookies in accordance with applicable legal requirements. Where required, we obtain users' prior consent. Where consent is not required, processing is based on our legitimate interests. This applies where storing and accessing information is strictly necessary to provide content and functions expressly requested by the user, including storing user preferences and ensuring the functionality and security of our Online Services.

Consent may be withdrawn at any time. We provide clear information regarding the scope of consent and the cookies used.

Legal Basis for Cookie Processing

Whether personal data is processed through cookies depends on whether consent has been obtained.

Where consent has been granted, it serves as the legal basis for processing.

Where consent is not required, processing is based on our legitimate interests, as described in this section and in connection with the respective services and processing activities.

Storage Duration

The following categories of cookies are distinguished with regard to their storage duration:

Session Cookies

Temporary cookies (also referred to as session cookies) are deleted automatically once the user leaves the Online Services and closes their device (for example, the browser or mobile application).

Persistent Cookies

Persistent cookies remain stored even after the user's device has been closed.

For example, they may store login status or preferred settings, allowing them to be restored when the user revisits the website. User data collected through cookies may also be used for audience measurement.

Unless we explicitly inform users otherwise (for example, when obtaining consent), users should assume that cookies are persistent and may remain stored for up to two years.

Withdrawal of Consent and Right to Object (Opt-Out)

Users may withdraw any consent they have given at any time and may also object to processing in accordance with the applicable legal requirements, including by adjusting the privacy settings of their browser.

Categories of Personal Data Processed

• Metadata, communication data, and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons)

Categories of Data Subjects

• Users (e.g. website visitors and users of online services)

Legal Bases

• Legitimate interests (Article 6(1)(f) GDPR)
• Consent (Article 6(1)(a) GDPR)

Additional Information on Processing Activities

Processing of Cookie Data Based on Consent

We use a Consent Management Platform (CMP) through which users' consent is obtained for the use of cookies and for the processing activities and service providers listed within the consent management solution.

This procedure serves to obtain, document, manage, and enable the withdrawal of consent, particularly with regard to the use of cookies and comparable technologies used to store, retrieve, and process information on users' devices.

Within the framework of this procedure, users' consent is obtained for the use of cookies and the associated processing of information, including the specific processing activities and service providers identified within the consent management solution.

Users may also manage and withdraw their consent at any time.

Consent records are stored in order to avoid repeated consent requests and to provide proof of consent in accordance with legal requirements.

Consent is stored either on the server and/or in a cookie (an opt-in cookie) or by means of comparable technologies so that consent can be assigned to a specific user or device.

Unless specific information is provided regarding the consent management service provider, the following generally applies:

• Consent records are retained for up to two years.
• A pseudonymous user identifier is created and stored together with the time consent was given, the scope of the consent (e.g. cookie categories and service providers), and information relating to the browser, operating system, and device used.

Legal Basis: Article 6(1)(a) GDPR (Consent).

Registration, Login, and User Account

Users may create a user account.

During registration, the required mandatory information is communicated to users and processed for the purpose of providing the user account on the basis of contractual performance. The processed data includes, in particular, login credentials (username, password, and email address).

When users make use of our registration and login functions and while using their user account, we store the user's IP address together with the time of the respective user action.

This storage is based on our legitimate interests as well as the users' interests in protecting against misuse and other unauthorized use.

As a general rule, this data is not disclosed to third parties unless disclosure is necessary to enforce our legal claims or is required by law.

Users may receive email notifications regarding matters relevant to their user account, such as technical changes.

Categories of Personal Data Processed

• Master data
• Contact data
• Content data
• Usage data
• Log data

Categories of Data Subjects

• Users (e.g. website visitors and users of online services)

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations
• Security measures
• Organizational and administrative procedures
• Provision of our Online Services and user-friendliness

Retention and Deletion

Personal data is deleted in accordance with the provisions set out in the section "General Information on Data Storage and Deletion."

Deletion also takes place following termination of the user account, unless statutory retention obligations require continued storage.

Legal Bases

• Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR)
• Legitimate interests (Article 6(1)(f) GDPR)

Additional Information on Processing Activities

Registration Using a Pseudonym

Users may choose to use a pseudonym instead of their real name as their username.

Legal Basis: Article 6(1)(b) GDPR.

User Profiles Are Not Public

User profiles are not publicly visible or accessible.

Deletion of Data Following Account Termination

If users terminate their user account, the data associated with that account will be deleted unless storage is permitted or required by law or based on the user's consent.

Legal Basis: Article 6(1)(b) GDPR.

No Obligation to Retain User Data

Users are responsible for backing up their own data before the contractual relationship ends. We are entitled to permanently and irretrievably delete all user data stored during the contractual relationship once the contract has ended.

Legal Basis: Article 6(1)(b) GDPR.

Single Sign-On Login

"Single Sign-On" (SSO) or "Single Sign-On authentication" refers to authentication procedures that allow users to log in to our online services using an existing user account with a Single Sign-On provider (e.g., a social network). The prerequisite for using Single Sign-On authentication is that users are registered with the respective Single Sign-On provider and enter the required login credentials in the designated online form or are already logged in with the provider and confirm the Single Sign-On login via the corresponding button.

Authentication is carried out directly by the respective Single Sign-On provider. As part of this authentication process, we receive a user ID together with the information that the user is logged in to the respective Single Sign-On provider under this user ID and a unique identifier ("User Handle") that cannot be used by us for any other purpose. Whether additional data is transmitted to us depends solely on the specific Single Sign-On procedure used, the data sharing options selected by the user during authentication, and the privacy or account settings configured with the respective Single Sign-On provider. Depending on the provider and the user's settings, different data may be transmitted; typically, this includes the user's email address and username. The password entered with the Single Sign-On provider is neither visible to us nor stored by us.

Users should note that the information stored in their account with us may be automatically synchronized with their user account at the respective Single Sign-On provider. However, this is not always technically possible and does not necessarily occur. For example, if users change their email address with the Single Sign-On provider, they must update it manually in their account with us.

Where agreed with users, we may use Single Sign-On authentication for the performance of a contract or prior to entering into a contract if requested by the user, on the basis of consent where applicable, or otherwise based on our legitimate interests and the users' interest in an efficient and secure authentication system.

If users decide that they no longer wish to use the connection between their account and the Single Sign-On provider, they must remove this connection within their account settings at the respective provider. If users wish to delete their data stored by us, they must terminate their registration with us.

Categories of data processed:

• Master data (e.g., full name, residential address, contact details, customer number).
• Contact data (e.g., postal addresses, email addresses, telephone numbers).
• Usage data (e.g., page views, time spent on pages, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
• Metadata, communication data and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Facebook Event Data ("Event Data" refers to information transmitted to Meta, for example via the Meta Pixel, whether through apps or other channels, relating to individuals or their actions. This may include details about website visits, interactions with content and features, app installations, and product purchases. Event Data is processed to create target audiences for content and advertising messages ("Custom Audiences"). Event Data does not include actual content such as comments, login credentials, or contact information such as names, email addresses, or telephone numbers. Event Data is deleted by Meta after a maximum of two years, and any audiences created from such data are deleted when our Meta user accounts are deleted.)

Data subjects:

• Users (e.g., website visitors and users of online services).

Purposes of processing and legitimate interests:

• Provision of contractual services and fulfilment of contractual obligations.
• Security measures.
• Authentication procedures.
• Provision of our online services and enhancement of user experience.

Retention and deletion:

Data is deleted in accordance with the information provided in the section "General Information on Data Storage and Deletion." User data is deleted following termination of the user account.

Legal bases:

• Performance of a contract and pre-contractual measures (Art. 6(1)(b) GDPR).
• Legitimate interests (Art. 6(1)(f) GDPR).

Additional information on processing operations, procedures and services

Apple Single Sign-On

Authentication services for user logins, provision of Single Sign-On functionality, identity management, and application integrations.

Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Website: https://www.apple.com/

Privacy Policy: https://www.apple.com/legal/privacy/

Facebook Single Sign-On

Authentication service provided by Facebook.

Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Website: https://www.facebook.com/

Privacy Policy: https://www.facebook.com/privacy/policy/

Data Processing Agreement:
https://www.facebook.com/legal/terms/dataprocessing

Transfers to third countries are based on the EU-U.S. Data Privacy Framework (DPF) and the European Commission's Standard Contractual Clauses (SCCs).

Google Single Sign-On

Authentication services for user logins, provision of Single Sign-On functionality, identity management, and application integrations.

Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Website: https://www.google.com/

Privacy Policy:
https://business.safety.google/privacy/

Transfers to third countries are based on the EU-U.S. Data Privacy Framework (DPF).

Users may manage advertising preferences at:
https://myadcenter.google.com/

Instagram Single Sign-On

Authentication services for user logins, provision of Single Sign-On functionality, identity management, and application integrations.

We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt (but not the subsequent processing) of "Event Data" that Facebook collects or receives through the Instagram Single Sign-On authentication procedures implemented on our online services for the following purposes:

a) Displaying content and advertisements that are likely to correspond to users' presumed interests;

b) Delivering commercial and transactional messages (e.g., contacting users via Facebook Messenger);

c) Improving advertisement delivery and personalizing features and content (e.g., improving the identification of content or advertisements that are likely to correspond to users' interests).

We have entered into a specific agreement with Facebook (the "Controller Addendum"), which particularly governs the security measures Facebook is required to observe and under which Facebook has agreed to fulfil data subject rights (meaning that users may, for example, submit requests for access or deletion directly to Facebook).

Please note that where Facebook provides us with aggregated measurement data, analyses and reports (i.e., information that does not identify individual users and is anonymous to us), this processing is not carried out under the joint controllership arrangement. Instead, it is performed on the basis of a Data Processing Agreement ("Data Processing Terms"), the Data Security Terms and, with regard to processing in the United States, on the basis of the European Commission's Standard Contractual Clauses ("Facebook EU Data Transfer Addendum").

The rights of users (in particular the rights of access, deletion, objection, and the right to lodge a complaint with a competent supervisory authority) are not restricted by the agreements concluded with Facebook.

Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Website: https://www.instagram.com

Privacy Policy: https://privacycenter.instagram.com/policy/

Contact and Inquiry Management

When you contact us (e.g., by post, contact form, email, telephone, or via social media), as well as within the framework of existing user or business relationships, we process the personal data provided by the requesting person to the extent necessary for responding to the inquiry and carrying out any requested measures.

Categories of data processed

• Contact data (e.g., postal addresses, email addresses, telephone numbers).
• Content data (e.g., text or image messages, posts, and related information such as authorship or time of creation).
• Metadata, communication data and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).

Data subjects

Communication partners.

Purposes of processing and legitimate interests

• Communication.
• Organisational and administrative procedures.
• Feedback (e.g., collecting feedback through online forms).
• Provision of our online services and improvement of user experience.

Retention and deletion

Deletion takes place in accordance with the information provided in the section "General Information on Data Storage and Deletion."

Legal bases

• Legitimate interests (Art. 6(1)(f) GDPR).
• Performance of a contract and pre-contractual measures (Art. 6(1)(b) GDPR).

Additional information regarding processing operations, procedures and services

Contact Form

When you contact us via our contact form, email or any other communication channel, we process the personal data you provide in order to respond to and process your request.

This generally includes your name, contact details and, where applicable, any additional information you provide that is necessary for the proper handling of your inquiry.

We use this data exclusively for the purpose of responding to your inquiry and communicating with you.

Legal bases:

• Performance of a contract and pre-contractual measures (Art. 6(1)(b) GDPR).
• Legitimate interests (Art. 6(1)(f) GDPR).

Newsletters and Electronic Notifications

We send newsletters, emails and other electronic notifications (hereinafter collectively referred to as "Newsletters") only with the recipient's consent or on another legal basis.

Where the content of the Newsletter is specifically described during the subscription process, this content shall determine the scope of the user's consent.

As a rule, only your email address is required to subscribe to our Newsletter. However, in order to provide you with a personalised service, we may ask you to provide your name for personalised salutations or other information where necessary for the purpose of the Newsletter.

Deletion and restriction of processing

We may retain unsubscribed email addresses for up to three years on the basis of our legitimate interests in order to demonstrate that consent was previously given.

Processing of these data is restricted exclusively to the purpose of defending against possible legal claims.

An individual request for deletion may be submitted at any time, provided that the previous existence of consent is simultaneously confirmed.

Where we are legally required to permanently observe objections, we reserve the right to retain the email address solely for this purpose in a suppression list (also referred to as a "blocklist").

Logging of the subscription process is carried out on the basis of our legitimate interests for the purpose of demonstrating that the subscription procedure was properly completed.

Where we commission a service provider to send emails on our behalf, this is done on the basis of our legitimate interests in maintaining an efficient and secure mailing system.

Newsletter content

Information about our company, our services, promotions and offers.

Categories of data processed

• Master data (e.g., full name, residential address, contact details, customer number).
• Contact data (e.g., postal addresses, email addresses, telephone numbers).
• Metadata, communication data and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Usage data (e.g., page views, duration of visits, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).

Data subjects

Communication partners.

Purposes of processing

Direct marketing (e.g., via email or postal mail).

Legal basis

Consent (Art. 6(1)(a) GDPR).

Right to object (Opt-Out)

You may unsubscribe from our Newsletter at any time, withdraw your consent, or object to receiving future Newsletters.

An unsubscribe link is included at the end of every Newsletter. Alternatively, you may use any of the contact methods listed above, preferably by email.

Additional information regarding processing operations, procedures and services

Measurement of Open and Click Rates

Our Newsletters contain so-called web beacons, i.e., pixel-sized files that are retrieved from our server or, where applicable, from the server of our mailing service provider when the Newsletter is opened.

During this process, technical information is initially collected, including information about your browser and operating system, your IP address, and the time the Newsletter was accessed.

This information is used solely for the technical improvement of our Newsletter based on recipient behaviour.

Legal basis: Consent (Art. 6(1)(a) GDPR).

Marketing Communications via Email, Post, Fax or Telephone

We process personal data for the purpose of marketing communications, which may be carried out through various communication channels, such as email, telephone, postal mail, or fax, in accordance with the applicable legal requirements.

Recipients have the right to withdraw any consent they have given at any time or to object to receiving marketing communications free of charge at any time using one of the contact methods listed above.

Following the withdrawal of consent or objection, we retain the data required to demonstrate the previous legitimacy of contacting or sending marketing communications for up to three years after the end of the calendar year in which the withdrawal or objection was received, based on our legitimate interests. The processing of these data is limited exclusively to the purpose of defending against potential legal claims.

Furthermore, based on our legitimate interest in permanently respecting users' withdrawal of consent or objection, we store the data necessary to prevent further contact (e.g., depending on the communication channel, the email address, telephone number, or name).

Categories of data processed

• Master data (e.g., full name, residential address, contact details, customer number).
• Contact data (e.g., postal addresses, email addresses, telephone numbers).
• Content data (e.g., text or image messages and posts, including related information such as authorship or the time of creation).

Data subjects

Communication partners.

Purposes of processing and legitimate interests

• Direct marketing (e.g., by email or postal mail).
• Marketing.
• Sales promotion.

Retention and deletion

Deletion takes place in accordance with the information provided in the section "General Information on Data Storage and Deletion."

Legal bases

• Consent (Art. 6(1)(a) GDPR).
• Legitimate interests (Art. 6(1)(f) GDPR).

Sweepstakes and Competitions

We process the personal data of participants in sweepstakes and competitions only in compliance with the applicable data protection laws, insofar as such processing is contractually necessary for the provision, execution, and administration of the sweepstakes or competition, where participants have consented to the processing, or where processing serves our legitimate interests (for example, ensuring the security of the sweepstakes or protecting our interests against misuse by recording IP addresses when entries are submitted).

Where participant contributions are published as part of a sweepstakes or competition (for example, during voting procedures, the presentation of competition entries or winners, or in reports relating to the sweepstakes), participants are informed that their names may also be published in this context. Participants may object to such publication at any time.

If a sweepstakes or competition is conducted through an online platform or social network (e.g., Facebook or Instagram, hereinafter referred to as an "Online Platform"), the respective terms of use and privacy policies of that platform shall also apply. In such cases, we point out that we are responsible for the participant information collected in connection with the sweepstakes and that any inquiries relating to the sweepstakes should be directed to us.

Participant data will be deleted as soon as the sweepstakes or competition has ended and the data is no longer required for notifying winners or because no further inquiries relating to the sweepstakes are expected.

As a general rule, participant data will be deleted no later than six months after the end of the sweepstakes.

Winner data may be retained for a longer period where necessary, for example, to answer questions relating to prizes or to fulfil prize obligations. In such cases, the retention period depends on the type of prize and may extend to up to three years for goods or services, for example, in order to process warranty claims.

Participant data may also be retained for longer periods where necessary for reporting on the sweepstakes in online or offline media.

Where personal data collected in connection with a sweepstakes is also processed for other purposes, such processing and the applicable retention periods are governed by the relevant privacy information relating to that specific use (for example, where participants subscribe to a newsletter as part of the sweepstakes).

Categories of data processed

• Master data (e.g., full name, residential address, contact details, customer number).
• Contact data (e.g., postal addresses, email addresses, telephone numbers).
• Content data (e.g., text or image messages and posts, including related information such as authorship or the time of creation).

Data subjects

Participants in sweepstakes and competitions.

Purposes of processing

Administration and execution of sweepstakes and competitions.

Retention and deletion

Deletion takes place in accordance with the information provided in the section "General Information on Data Storage and Deletion."

Legal bases

• Performance of a contract and pre-contractual measures (Art. 6(1)(b) GDPR).
• Legitimate interests (Art. 6(1)(f) GDPR).

Web Analytics, Monitoring and Optimisation

Web analytics (also referred to as "audience measurement") is used to evaluate visitor traffic to our online services and may include behavioural, interest-based, or demographic information about visitors, such as age or gender, in the form of pseudonymous data.

Through audience measurement, we are able, for example, to determine the times at which our online services, individual functions, or content are used most frequently or are likely to be revisited. We are also able to identify areas requiring optimisation.

In addition to web analytics, we may also use testing procedures, for example to test and optimise different versions of our online services or individual components thereof.

Unless otherwise specified below, profiles (i.e., data combined for a specific usage process) may be created for these purposes, and information may be stored in or read from a browser or end device.

The information collected includes, in particular, visited websites, the elements used thereon, and technical information such as the browser used, the operating system of the device, and information relating to the time of use.

Where users have consented to the collection of their location data by us or by the providers of the services we use, location data may also be processed.

Users' IP addresses are likewise processed. However, we apply an IP masking procedure (i.e., pseudonymisation by truncating the IP address) in order to protect users.

Generally, no directly identifiable user data (such as names or email addresses) is stored in connection with web analytics, A/B testing or optimisation. Instead, pseudonyms are used. Accordingly, neither we nor the providers of the software employed know the actual identity of users; only the information stored within their respective pseudonymous profiles for the relevant procedures is available.

Information regarding the legal basis

Where we request users' consent to the use of third-party providers, the legal basis for processing personal data is the user's consent.

Otherwise, user data is processed on the basis of our legitimate interests (i.e., our interest in providing efficient, economically viable and user-friendly services).

In this context, we also refer you to the information regarding the use of cookies contained in this Privacy Policy.

Categories of data processed

• Usage data (e.g., page views, duration of visits, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
• Metadata, communication data and procedural data (e.g., IP addresses, timestamps, identification numbers and persons involved).

Data subjects

Users (e.g., website visitors and users of online services).

Purposes of processing and legitimate interests

• Audience measurement (e.g., access statistics and recognition of returning visitors).
• Creation of user profiles containing user-related information.
• Provision of our online services and enhancement of user experience.

Retention and deletion

Deletion takes place in accordance with the information provided in the section "General Information on Data Storage and Deletion."

Unless otherwise specified, cookies and comparable storage technologies may remain stored on users' devices for a period of up to two years.

Security measures

IP masking (pseudonymisation of IP addresses).

Legal bases

• Consent (Art. 6(1)(a) GDPR).
• Legitimate interests (Art. 6(1)(f) GDPR).

Additional Information on Processing Operations, Procedures and Services

Google Analytics

We use Google Analytics to measure and analyse the use of our online services based on a pseudonymous user identification number. This identification number does not contain any directly identifiable information, such as names or email addresses. It serves to assign analytical information to a device in order to determine which content users have accessed during one or more usage sessions, which search terms they have used, whether they have revisited the content, or how they have interacted with our online services. The time and duration of use, the sources from which users accessed our online services, and technical information regarding their devices and browsers are also recorded.

Pseudonymous user profiles are created using information collected from the use of different devices, whereby cookies may be used for this purpose.

Google Analytics does not log or store individual IP addresses of users located within the European Union. However, Analytics provides approximate geographical location data by deriving the following metadata from IP addresses:

• City (including the corresponding latitude and longitude),
• Continent,
• Country,
• Region,
• Subcontinent,
• and corresponding identifier-based geographical information.

For data traffic originating from the European Union, IP address information is used exclusively for deriving this geolocation data before being immediately deleted. It is neither logged nor made accessible, nor is it used for any other purpose.

When Google Analytics collects measurement data, all IP requests are processed on servers located within the European Union before the traffic is forwarded to Analytics servers for further processing.

Service provider:

Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland

Legal basis:

Consent (Art. 6(1)(a) GDPR).

Website:

https://marketingplatform.google.com/about/analytics/

Security measures:

IP masking (pseudonymisation of IP addresses).

Privacy Policy:

https://business.safety.google/privacy/

Data Processing Agreement:

https://business.safety.google/adsprocessorterms/

Transfers to third countries:

Data transfers are based on the EU-U.S. Data Privacy Framework (DPF) and the European Commission's Standard Contractual Clauses (SCCs).

Opt-Out Options:

Google Analytics Opt-Out Browser Add-on:

https://tools.google.com/dlpage/gaoptout

Google Ad Settings:

https://myadcenter.google.com/personalizationoff

Further information:

https://business.safety.google/adsservices/

(Information regarding the types of processing activities and processed data.)

Google Tag Manager

We use Google Tag Manager, a software solution provided by Google that enables us to centrally manage so-called website tags through a single user interface.

Tags are small code elements integrated into our website that are used to record and analyse visitor activities. This technology helps us improve our website and the content made available through it.

Google Tag Manager itself does not create user profiles, store cookies containing user profiles, or perform independent analyses.

Its functionality is limited to facilitating and simplifying the implementation and management of the tools and services used on our website.

Nevertheless, when Google Tag Manager is used, users' IP addresses are transmitted to Google, as this is technically necessary for implementing the services integrated through Google Tag Manager.

Cookies may also be set in this context. However, such data processing only occurs where services requiring cookies or similar technologies are integrated via Google Tag Manager.

For more detailed information regarding these services and their respective processing of personal data, please refer to the relevant sections of this Privacy Policy.

Service provider:

Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland

Legal basis:

Consent (Art. 6(1)(a) GDPR).

Website:

https://marketingplatform.google.com/

Privacy Policy:

https://business.safety.google/privacy/

Data Processing Agreement:

https://business.safety.google/adsprocessorterms/

Transfers to third countries:

Transfers of personal data to third countries are based on the EU-U.S. Data Privacy Framework (DPF) and the European Commission's Standard Contractual Clauses (SCCs).

Online Marketing

We process personal data for the purposes of online marketing, which may include, in particular, the marketing of advertising space or the display of advertising and other content (collectively referred to as "Content") based on users' potential interests, as well as measuring the effectiveness of such content.

For these purposes, so-called user profiles are created and stored in a file (a "cookie"), or similar technologies are used to store information relevant for displaying the aforementioned content to users. This information may include, for example, viewed content, visited websites, used online networks, communication partners, technical information such as the browser used, the operating system, information regarding usage times, and the functions used. Where users have consented to the collection of their location data, such data may also be processed.

Users' IP addresses are also stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no directly identifiable user data (such as names or email addresses) is stored as part of the online marketing process. Instead, pseudonyms are used. This means that neither we nor the providers of the online marketing services know the actual identity of the users, but only the information stored in their profiles.

The information contained in these profiles is generally stored in cookies or by similar technologies. These cookies can subsequently be read on other websites that use the same online marketing technology, analyzed for the purpose of displaying content, supplemented with additional data, and stored on the servers of the online marketing provider.

In exceptional cases, personal data may be linked to user profiles, particularly where users are members of a social network whose online marketing services we use and where the social network links user profiles with the aforementioned information. Please note that users may enter into separate agreements with the respective providers, for example by giving consent during registration.

As a rule, we only receive aggregated information regarding the success of our advertisements. However, within the scope of so-called conversion tracking, we can determine which of our online marketing measures have resulted in a conversion, for example, the conclusion of a contract with us. Conversion tracking is used solely to analyze the effectiveness of our marketing activities.

Unless otherwise stated, cookies used for online marketing are stored for a period of two years.

Information on Legal Bases

Where we request users' consent for the use of third-party services, the legal basis for processing is their consent. Otherwise, user data is processed based on our legitimate interests (i.e., our interest in providing efficient, economical, and user-friendly services). In this context, we also refer you to the information on the use of cookies contained in this Privacy Policy.

Information on Withdrawal of Consent and Right to Object

Please refer to the privacy policies of the respective providers and the opt-out options they provide. If no explicit opt-out option is available, you may disable cookies in your browser settings. Please note, however, that this may limit certain functions of our website.

We additionally recommend the following industry-wide opt-out options:

• Europe: https://youronlinechoices.eu/
• Canada: https://youradchoices.ca/
• USA: https://optout.aboutads.info/
• International: https://optout.aboutads.info/

Categories of Data Processed

• Usage data (e.g., page views, time spent on pages, click paths, usage intensity and frequency, device types, operating systems, interactions with content and features)
• Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons)

Data Subjects

• Users (e.g., website visitors and users of online services)

Purposes of Processing and Legitimate Interests

• Audience measurement (e.g., access statistics, recognition of returning visitors)
• Tracking (e.g., interest-based and behavioral profiling, use of cookies)
• Target group creation
• Marketing
• Creation of user profiles
• Conversion tracking (measurement of marketing effectiveness)

Storage and Deletion

Data is deleted in accordance with the provisions set out in the section "General Information on Data Storage and Deletion." Unless otherwise specified, cookies and similar storage technologies are retained on users' devices for up to two years.

Security Measures

• IP masking (pseudonymization of IP addresses)

Legal Bases

• Consent (Art. 6(1)(a) GDPR)
• Legitimate Interests (Art. 6(1)(f) GDPR)

Google Ads and Conversion Tracking

We use Google Ads to display advertisements within Google's advertising network (e.g., in search results, videos, websites, etc.) to users who are presumed to have an interest in our services.

In addition, we measure the conversion performance of advertisements, i.e., whether users interacted with advertisements and subsequently made use of the advertised offers. We receive only anonymized statistical information and no personally identifiable information about individual users.

Service Provider:
Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland

Legal Bases:

• Consent (Art. 6(1)(a) GDPR)
• Legitimate Interests (Art. 6(1)(f) GDPR)

Website:
https://marketingplatform.google.com/

Privacy Policy:
https://business.safety.google/privacy/

Transfers to Third Countries:
Data Privacy Framework (DPF)

Further information:
https://business.safety.google/adsservices/

Affiliate Program

We operate an affiliate program under which users ("Affiliates") receive commissions or other benefits (collectively referred to as "Commission") for referring customers to our products or services.

The referral is made using affiliate links assigned to the respective affiliate or by other methods (e.g., discount codes) that allow us to determine that a transaction originated from the referral.

Customer Reviews and Rating Systems

We participate in review and rating systems to evaluate, improve, and promote our services.

If users submit reviews or feedback via participating review platforms, the respective providers' Terms of Service and Privacy Policies also apply. In most cases, submitting a review requires registration with the respective provider.

To ensure that reviewers have actually used our services, we transmit, with the customer's consent, the information required for verification (including name, email address, order number, or product number) to the respective review platform. This information is used solely to verify the authenticity of the review.

Categories of Data Processed

• Contract data (e.g., subject matter of the contract, contract duration, customer category)
• Usage data
• Metadata, communication data, and procedural data

Data Subjects

• Customers
• Contractual partners
• Users of our online services

Purposes of Processing

• Collection of customer feedback
• Marketing

Legal Bases

• Legitimate Interests (Art. 6(1)(f) GDPR)
• Consent (Art. 6(1)(a) GDPR)

Review Widgets

Our website integrates so-called review widgets. A widget is a functional and content element embedded in our website that displays dynamic information, such as review seals or badges.

The widget content is retrieved directly from the servers of the respective widget provider to ensure that current information is always displayed. As a result, a data connection is established between the user's browser and the widget provider's server. During this process, the provider receives technical information, including access data and the user's IP address.

The widget provider also receives information indicating that users have visited our website. This information may be stored in cookies and used to determine which participating websites the user has visited. Such information may also be stored in user profiles and used for advertising or market research purposes.

Legal Basis:
Legitimate Interests (Art. 6(1)(f) GDPR)

Trusted Shops (Trusted Badge)

We use the Trusted Shops Trustbadge.

Within the framework of the joint controllership agreement between us and Trusted Shops, please contact Trusted Shops directly regarding data protection issues or the exercise of your data protection rights using the contact details provided in their Privacy Policy. You may also contact us at any time. If necessary, your request will be forwarded to the other responsible party.

The Trustbadge is provided through a U.S.-based Content Delivery Network (CDN). An adequate level of data protection is ensured by the use of Standard Contractual Clauses and additional contractual safeguards.

When the Trustbadge is accessed, the web server automatically stores a server log containing your IP address, date and time of access, amount of data transferred, and the requesting internet service provider. The IP address is anonymized immediately after collection and cannot be linked to your identity. The anonymized data is used for statistical analysis and troubleshooting.

Where you have provided your consent, the Trustbadge accesses order information stored on your device after the completion of your purchase (including order value, order number, and, where applicable, purchased product), as well as your email address. Your email address is hashed using a one-way cryptographic function before the hash value and order information are transmitted to Trusted Shops pursuant to Art. 6(1)(a) GDPR.

This allows Trusted Shops to verify whether you are already registered for its services. If you are registered, further processing takes place in accordance with the contractual agreement between you and Trusted Shops. If you are not registered or have not consented to automatic recognition via the Trustbadge, you will be offered the opportunity to register manually or activate buyer protection.

To offer buyer protection, the Trustbadge accesses the order amount, order number, and email address stored on your device after your purchase. Data is transferred to Trusted Shops only if you actively choose buyer protection by clicking the corresponding button within the Trustcard.

If you decide to use the services, further processing is based on the contractual relationship pursuant to Art. 6(1)(b) GDPR.

Trusted Shops uses service providers for hosting, monitoring, and logging. The legal basis for such processing is Art. 6(1)(f) GDPR to ensure uninterrupted operation. Processing may also take place in third countries, including the United States and Israel. An adequate level of protection is ensured through Standard Contractual Clauses and, in the case of Israel, by an adequacy decision of the European Commission.

Service Provider:
Trusted Shops GmbH
Subbelrather Str. 15C
50823 Cologne
Germany

Legal Bases:

• Consent (Art. 6(1)(a) GDPR)
• Legitimate Interests (Art. 6(1)(f) GDPR)

Website:
https://www.trustedshops.com/

Privacy Policy:
https://www.trustedshops.com/legal/privacy/

Social Media Presence

We maintain online presences on social media platforms and process users' personal data in this context to communicate with users who are active on these platforms and to provide information about our company.

Please note that user data may be processed outside the European Union. This may result in risks for users, as the enforcement of their rights may be more difficult.

Furthermore, user data is generally processed by social media platforms for market research and advertising purposes. User profiles may be created based on users' behavior and the interests derived from it. These profiles may subsequently be used to display advertisements both within and outside the respective social networks that are presumed to match users' interests.

For this purpose, cookies are generally stored on users' devices in which their usage behavior and interests are recorded. In addition, user profiles may contain data independent of the devices used by users, particularly if they are registered members of the respective platforms and logged into their accounts.

For detailed information regarding the respective processing activities and available opt-out options, please refer to the privacy policies of the respective social media providers.

If you wish to exercise your data subject rights or request information, we point out that these rights can most effectively be exercised directly with the respective providers, as they alone have direct access to user data and can take the necessary measures. Should you nevertheless require assistance, you are welcome to contact us.

Categories of Data Processed

• Contact data (e.g., postal addresses, email addresses, telephone numbers)
• Content data (e.g., text and image messages, posts, and related information such as authorship or creation date)
• Usage data (e.g., page views, time spent on pages, click paths, usage intensity and frequency, device types, operating systems, interactions with content and functions)

Data Subjects

• Users (e.g., website visitors and users of online services)

Purposes of Processing

• Communication
• Collection of feedback
• Public relations

Storage and Deletion

Data is deleted in accordance with the provisions set out in the section "General Information on Data Storage and Deletion."

Legal Basis

• Legitimate Interests (Art. 6(1)(f) GDPR)

Instagram

Instagram is a social networking service that enables users to share photos and videos, comment on and like posts, send messages, and follow profiles and pages.

Service Provider:
Meta Platforms Ireland Limited
Merrion Road
Dublin 4, D04 X2K5
Ireland

Legal Basis:

• Legitimate Interests (Art. 6(1)(f) GDPR)

Website:
https://www.instagram.com

Privacy Policy:
https://privacycenter.instagram.com/policy/

Transfers to Third Countries:
Data Privacy Framework (DPF)

Plug-ins, Embedded Features and Third-Party Content

We integrate functional and content elements into our online services that are obtained from the servers of their respective providers (hereinafter referred to as "Third-Party Providers"). These may include, for example, graphics, videos, maps, or similar content (collectively referred to as "Content").

The integration of such content always requires that the Third-Party Providers process users' IP addresses, as they cannot deliver the content to users' browsers without the IP address. The IP address is therefore technically required for displaying such content or functions.

We endeavor to use only content from providers who use IP addresses solely for delivering the requested content.

Third-Party Providers may also use pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Pixel tags allow information such as visitor traffic on website pages to be analyzed. The pseudonymized information may also be stored in cookies on users' devices and may include technical information regarding browsers, operating systems, referring websites, access times, and other information relating to the use of our website. Such information may also be combined with information obtained from other sources.

Information on Legal Bases

Where we request users' consent for the use of Third-Party Providers, the legal basis for processing is their consent. Otherwise, user data is processed based on our legitimate interests (i.e., our interest in providing efficient, economical, and user-friendly services). In this regard, we also refer you to the information on the use of cookies contained in this Privacy Policy.

Categories of Data Processed

• Usage data (e.g., page views, time spent on pages, click paths, usage intensity and frequency, device types, operating systems, interactions with content and functions)
• Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons)
• Facebook Event Data ("Event Data" refers to information transmitted to Meta via the Meta Pixel, apps, or other channels relating to individuals or their actions. This includes website visits, interactions with content and features, app installations, and product purchases. Event Data does not include actual content such as comments, login credentials, or contact details such as names, email addresses, or telephone numbers. Meta deletes Event Data after a maximum of two years, and audiences created from such data are deleted when our Meta user accounts are removed.)

Data Subjects

• Users (e.g., website visitors and users of online services)

Purposes of Processing

• Provision and optimization of our online services
• Marketing
• Creation of user profiles

Storage and Deletion

Data is deleted in accordance with the provisions set out in the section "General Information on Data Storage and Deletion."

Unless otherwise specified, cookies and similar storage technologies are stored on users' devices for up to two years.

Legal Bases

• Consent (Art. 6(1)(a) GDPR)
• Legitimate Interests (Art. 6(1)(f) GDPR)

Facebook Plugins and Content

We use Facebook Social Plugins and embedded Facebook content, including images, videos, text, and buttons that enable users to share content from our website via Facebook.

We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt (but not the subsequent processing) of Event Data collected through Facebook Social Plugins and embedded Facebook content used on our website.

This processing serves the following purposes:

• Displaying content and advertisements that are likely to be relevant to users
• Delivering commercial and transactional messages (e.g., via Facebook Messenger)
• Improving advertisement delivery and the personalization of content and functions

We have concluded a Joint Controller Addendum with Meta, which governs the respective responsibilities and the security measures implemented by Meta. Meta has also agreed to facilitate the exercise of data subject rights, allowing users to submit requests for access, deletion, or other rights directly to Meta.

Where Meta provides us with aggregated reports, analytics, and measurement data that do not identify individual users, such processing is carried out under a Data Processing Agreement rather than the joint controllership arrangement. Transfers of data to the United States are based on the EU Standard Contractual Clauses and the Data Privacy Framework where applicable.

Service Provider:
Meta Platforms Ireland Limited
Merrion Road
Dublin 4, D04 X2K5
Ireland

Legal Basis:

• Consent (Art. 6(1)(a) GDPR)

Website:
https://www.facebook.com

Privacy Policy:
https://www.facebook.com/privacy/policy/

Transfers to Third Countries:
Data Privacy Framework (DPF)

Instagram Plugins and Content

We also use Instagram plugins and embedded Instagram content, including images, videos, text, and buttons that enable users to share content from our website via Instagram.

As with Facebook, we are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt (but not the subsequent processing) of Event Data collected through Instagram features embedded in our website.

The purposes of processing include:

• Displaying personalized content and advertising
• Delivering commercial and transactional communications
• Improving the delivery of advertisements and personalization of content and features

The responsibilities between us and Meta are governed by the Joint Controller Addendum. Users may exercise their data protection rights directly with Meta. The agreements with Meta do not restrict users' statutory rights.

Service Provider:
Meta Platforms Ireland Limited
Merrion Road
Dublin 4, D04 X2K5
Ireland

Legal Basis:

• Legitimate Interests (Art. 6(1)(f) GDPR)

Website:
https://www.instagram.com

Privacy Policy:
https://privacycenter.instagram.com/policy/

Privacy Information for Whistleblowers

This section provides information on how we process personal data relating to individuals who submit reports (whistleblowers), as well as individuals affected by or involved in the whistleblowing procedure.

Legal Basis (Austria)

Where we process personal data in order to comply with our legal obligations under the Austrian Whistleblower Protection Act (HinweisgeberInnenschutzgesetz – HSchG), the legal basis for such processing is Article 6(1)(c) GDPR and, where special categories of personal data are processed, Article 9(2)(g) GDPR, each in conjunction with Section 8 HSchG.

Categories of Personal Data Processed

As part of receiving, assessing, and investigating reports, as well as during the subsequent whistleblowing procedure, we may collect and process various categories of personal data. These include, in particular:

• the name, contact details, and location of the reporting person;
• the names and information relating to potential witnesses or other persons affected by the report;
• the names and information relating to the persons against whom the report is directed;
• information concerning the alleged misconduct; and
• any other information relevant to the investigation.

Use of Our Online Reporting Forms

Please note that reports may be submitted anonymously. To enhance the protection of your privacy when using our online reporting forms, we recommend accessing them in your browser's private or "Incognito" mode.

You can open a private browsing window as follows:

• Windows: Open your browser and press Ctrl + Shift + N.
• Mac: Open your browser and press Command + Shift + N.
• Mobile devices: Switch to your browser's private or incognito browsing mode via the tab menu.

Providing Your Name

You may submit reports anonymously. However, unless prohibited by applicable national law, we recommend providing your name and contact details. This enables us to investigate your report more effectively and, where necessary, to contact you directly regarding your submission.

Disclosure of Personal Data to Third Parties

Personal data related to whistleblower reports will only be disclosed to third parties under specific circumstances. Such disclosure will occur only:

• where you have given your explicit consent; or
• where we are legally required to disclose the information.

Potential recipients may include public authorities, governmental bodies, regulatory authorities, or tax authorities where disclosure is necessary to comply with applicable legal or regulatory obligations.

Furthermore, where permitted by law, we may engage external legal counsel and other professional advisers to investigate suspected misconduct and to implement appropriate measures following an investigation, including the initiation of disciplinary proceedings or legal action.

Selected and carefully monitored service providers (for example, operators of web-based whistleblowing platforms) may also receive personal data for these purposes. Such service providers are contractually bound, through data processing agreements, to comply with all applicable data protection laws.

Data Retention and Deletion

Personal data will be processed only for as long as necessary to fulfil the purposes described above. Once the personal data is no longer required for these purposes, it will be securely deleted, unless statutory retention obligations require otherwise.

Technical and Organisational Measures

We have implemented appropriate contractual, technical, and organisational measures to ensure the security of all personal data we process. Personal data is processed exclusively for the purposes described in this Privacy Policy.

Amendments and Updates

We encourage you to review this Privacy Policy regularly to stay informed about its contents. We will update this Privacy Policy whenever changes to our data processing activities make this necessary.

Where such changes require your participation (for example, by providing consent) or any other individual notification, we will inform you accordingly.

Where this Privacy Policy contains addresses or contact details of companies or organisations, please note that such information may change over time. We therefore recommend verifying the contact details before making contact.

Definitions

This section provides an overview of the terminology used in this Privacy Policy. Where terms are defined by law, the respective statutory definitions shall apply. The explanations below are intended primarily to facilitate understanding.

Affiliate Tracking

Affiliate tracking refers to the recording of links through which referring websites direct users to websites offering products or other services. Operators of the referring websites may receive a commission if users follow such affiliate links and subsequently purchase products or use services.

To enable this functionality, providers must be able to determine whether users who have shown interest in specific offers accessed those offers via an affiliate link. Therefore, affiliate links contain or are associated with certain values that are stored either as part of the link itself or separately, for example in a cookie. These values may include, in particular, the referring website (referrer), the time of access, an online identifier of the website operator displaying the affiliate link, an online identifier of the respective offer, an online identifier of the user, as well as tracking-specific values such as advertising material IDs, partner IDs, and category identifiers.

Employees

Employees are individuals engaged in an employment relationship, whether as workers, staff members, employees, or in comparable positions. An employment relationship is the legal relationship between an employer and an employee established through an employment contract or similar agreement. It includes the employer's obligation to pay remuneration in exchange for the employee's work.

The employment relationship comprises various stages, including its establishment, performance, and termination, whether by resignation, dismissal, mutual agreement, or otherwise.

Employee data includes all information relating to such individuals in the context of their employment. This may include personal identification data, identification numbers, salary and banking details, working hours, leave entitlements, health information, and performance evaluations.

Inventory Data

Inventory data comprises essential information required for the identification and management of contractual partners, user accounts, profiles, and similar relationships. This data may include personal and demographic information such as names, contact details (addresses, telephone numbers, and email addresses), dates of birth, and unique identifiers (e.g., user IDs).

Inventory data forms the basis for formal interactions between individuals and services, organisations, or systems by enabling clear identification and communication.

Content Data

Content data includes information generated during the creation, editing, and publication of content of any kind. This category may include text, images, videos, audio recordings, and other multimedia content published on various platforms and media.

Content data also includes metadata describing the content itself, such as tags, descriptions, author information, and publication dates.

Contact Data

Contact data consists of information enabling communication with individuals or organisations. It includes, among other things, telephone numbers, postal addresses, email addresses, social media account identifiers, and instant messaging identifiers.

Conversion Tracking

Conversion tracking (also referred to as conversion measurement) is a method used to evaluate the effectiveness of marketing activities. Typically, a cookie is stored on a user's device when visiting websites on which marketing measures are displayed and is later retrieved on the target website. This allows us, for example, to determine whether advertisements placed on third-party websites have been successful.

Metadata, Communication Data and Process Data

Metadata, communication data, and process data are categories of information relating to the processing, transmission, and administration of data.

• Metadata (data about data) includes information describing the context, origin, and structure of other data, such as file size, creation date, document author, and revision history.
• Communication data records exchanges of information between users through channels such as emails, telephone calls, social media messages, and chat conversations, including the parties involved, timestamps, and transmission methods.
• Process data describes workflows and operational procedures within systems or organisations, including workflow documentation, transaction logs, activity logs, and audit trails used for monitoring and verification purposes.

Usage Data

Usage data refers to information describing how users interact with digital products, services, or platforms. This includes information about how applications are used, which features are preferred, how long users remain on individual pages, and the navigation paths they follow.

Usage data may also include frequency of use, timestamps, IP addresses, device information, and location data. Such information is particularly valuable for analysing user behaviour, improving user experience, personalising content, and enhancing products and services. It also plays an important role in identifying trends, user preferences, and potential issues within digital offerings.

Personal Data

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier (e.g., a cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Profiles Containing User-Related Information

The processing of profiles containing user-related information ("profiles") refers to any form of automated processing of personal data used to evaluate, analyse, or predict certain personal aspects relating to an individual.

Depending on the type of profiling, this may include analysing demographic information, behaviour, interests, interactions with websites and their content, likely interests in products or services, click behaviour, or location data. Cookies and web beacons are commonly used for profiling purposes.

Log Data

Log data consists of information about events or activities recorded within a system or network. This typically includes timestamps, IP addresses, user actions, error messages, and other information relating to the operation or use of a system.

Log data is commonly used for troubleshooting, security monitoring, and performance analysis.

Reach Measurement

Reach measurement (also referred to as web analytics) is used to analyse visitor traffic to an online service and may include information about visitors' behaviour and interests regarding specific content.

Website operators can use reach measurement to determine, for example, when users visit their websites and which content attracts the most interest. This enables continuous optimisation of website content based on user needs.

Pseudonymised cookies and web beacons are commonly used for reach measurement to recognise returning visitors and generate more accurate usage statistics.

Tracking

Tracking refers to the ability to monitor users' behaviour across multiple online services. Behavioural and interest-related information is generally stored in cookies or on the servers of tracking technology providers (profiling). This information may subsequently be used, for example, to display advertisements that are likely to match users' interests.

Controller

The "Controller" is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processing

"Processing" means any operation or set of operations performed on personal data, whether or not by automated means. The term is interpreted broadly and includes virtually any handling of personal data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, deletion, or destruction.

Contract Data

Contract data consists of information relating to the establishment and administration of contractual relationships between two or more parties. It documents the terms under which products or services are provided, exchanged, or sold.

Contract data may include the identities of the contracting parties, contract commencement and termination dates, agreed products or services, pricing arrangements, payment terms, termination rights, renewal options, and special contractual provisions.

Such data forms the legal basis of the contractual relationship and is essential for managing contractual obligations, enforcing legal claims, and resolving disputes.

Payment Data

Payment data includes all information required to process payment transactions between buyers and sellers. This information is essential for e-commerce, online banking, and other forms of financial transactions.

Payment data may include credit card details, bank account information, payment amounts, transaction details, verification codes, billing information, payment status, chargebacks, authorisations, and applicable fees.

Audience Building

Audience building (commonly referred to as Custom Audiences) describes the creation of target groups for advertising purposes, such as displaying personalised advertisements.

For example, a user's interest in particular products or topics may be used to infer that the user is likely to be interested in advertisements for similar products or for the online shop where those products were viewed.

Lookalike Audiences refer to audiences consisting of users whose profiles or interests are considered similar to those of existing users for whom such profiles have already been created.

Cookies and web beacons are commonly used for creating Custom Audiences and Lookalike Audiences.

Created using the free Privacy Policy Generator of Dr. Thomas Schwenke (Datenschutz-Generator.de).