Data privacy
As of: July 14, 2026
Overview of Processing Activities
- Responsible Person
- Summary of Processing Activities
- Applicable Legal Bases
- Security Measures
- Transfer of Personal Data
- International Data Transfers
- General Information on Data Storage and Deletion
- Business Services
- Business Processes and Procedures
- Provision of Online Services and Web Hosting
- Use of Cookies
- Blogs and Publishing Media
- Contact and Inquiry Management
- Artificial Intelligence (AI)
- Cloud Services
- Newsletter and Electronic Notifications
- Web Analytics, Monitoring, and Optimization
- Online Marketing
- Presence in Social Networks (Social Media)
- Plugins and Embedded Functions and Content
Responsible Person
Marienburg Monheim Betriebs-GmbH
Hofstraße 16
40789 Monheim am Rhein
Authorized Representatives: Alexander Zimmer
Email Address: team@marienburgmonheim.de
Imprint: https://marienburgmonheim.de/de/impressum
Summary of Processing Activities
The following overview summarizes the types of data processed and the purposes of their processing, and refers to the affected persons.
Types of Data Processed
- Inventory data.
- Payment data.
- Location data.
- Contact data.
- Content data.
- Contract data.
- Usage data.
- Meta-, communication-, and process data.
- Event data (Facebook).
- Log data.
Special Categories of Data
- Health data.
Categories of Data Subjects
- Recipients and Auftraggeber (contractors).
- Interested parties.
- Communication partners.
- Users.
- Business and contractual partners.
- Third persons.
Purposes of Processing
- Provision of contractual services and fulfillment of contractual obligations.
- Communication.
- Security measures.
- Direct marketing.
- Reach measurement.
- Tracking.
- Office and organizational procedures.
- Remarketing.
- Conversion measurement.
- Target group formation.
- Organizational and administrative procedures.
- Feedback.
- Marketing.
- Profiles with user-related information.
- Provision of our online services and user-friendliness.
- Information technology infrastructure.
- Financial and payment management.
- Public relations.
- Sales promotion.
- Business processes and economic procedures.
- Artificial Intelligence (AI).
Legal Bases
Applicable legal bases under GDPR: The following provides an overview of GDPR legal bases on which we process personal data. Please note that in addition to GDPR regulations, national data protection laws in your or our country of residence or operation may apply. If more specific legal bases are relevant in individual cases, we will inform you in the privacy policy.
- Consent (Art. 6 para. 1 lit. a) GDPR) – The data subject has given their consent to the processing of their personal data for one or more specific purposes.
- Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 lit. b) GDPR) – Processing is necessary for the performance of a contract with the data subject or to take steps at their request prior to entering into a contract.
- Legal obligation (Art. 6 para. 1 lit. c) GDPR) – Processing is necessary to comply with a legal obligation to which the controller is subject.
- Legitimate interests (Art. 6 para. 1 lit. f) GDPR) – Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject do not override those interests.
Additional national data protection regulations in Germany: Besides GDPR, Germany's Federal Data Protection Act (BDSG) applies. It contains special provisions regarding rights to information, deletion, objection, processing of special categories of personal data, data processing for other purposes, data transfer, and automated decision-making including profiling. State data protection laws of the federal states may also apply.
Security Measures
We take appropriate technical and organizational measures in accordance with legal requirements, considering the state of the art, implementation costs, nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure an appropriate level of security.
These include securing the confidentiality, integrity, and availability of data through access controls, physical security, and electronic security measures. We have also established procedures to ensure the exercise of data subjects' rights, data deletion, and response to data breaches. Data protection is considered in the development or selection of hardware, software, and procedures based on the principle of data minimization and data protection-friendly default settings.
Online connections are secured with TLS/SSL encryption technology (HTTPS): To protect the data transmitted by users over our online services from unauthorized access, we use TLS/SSL encryption. TLS, as the more advanced and secure version of SSL, ensures that all data transmitted between the website or app and the user’s browser (or between two servers) are encrypted, protecting the data from unauthorized access. When a website is secured with an SSL/TLS certificate, this is indicated by HTTPS in the URL. This serves as an indicator to users that their data is transmitted securely and encrypted.
Transfer of Personal Data
In the course of processing personal data, it may be transferred to other entities, companies, independent organizations, or persons. These recipients may include IT service providers or service providers and content providers embedded in our website. We observe legal requirements and, in particular, conclude appropriate contracts or agreements to protect your data.
Data transfer within the corporate group: We may transfer personal data to other companies within our corporate group or grant access to it. This transfer is based on our legitimate business and economic interests, such as improving business processes, ensuring efficient internal communication, optimal use of resources, and making informed business decisions. In some cases, data transfer may be necessary to fulfill contractual obligations or based on your consent or legal permissions.
International Data Transfers
Data processing in third countries: If we transfer data outside the EU or EEA, or if this occurs when using third-party services or disclosing or transferring data to other persons or companies (which is recognizable by the address of the provider or explicit mention in the privacy policy), it is always done in accordance with legal requirements.
For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which has been recognized as a lawful framework by the EU Commission decision of July 10, 2023. Additionally, we conclude standard contractual clauses with providers that meet EU standards and establish contractual obligations for data protection.
This dual safeguard ensures comprehensive protection of your data: the DPF as the primary level, and the standard contractual clauses as an additional security measure. Changes in the DPF are covered by the contractual clauses if necessary, to ensure ongoing protection, even if legal or political changes occur.
We inform you whether providers are certified under the DPF and whether standard contractual clauses are in place. Further information on the DPF and a list of certified companies can be found on the US Department of Commerce website at https://www.dataprivacyframework.gov/.
For transfers to other third countries, appropriate safeguards such as standard contractual clauses, explicit consent, or legal requirements are applied. Information on third-country transfers and adequacy decisions can be found at the EU Commission’s website: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.
General Information on Data Storage and Deletion
We delete personal data processed by us in accordance with legal requirements as soon as the data is no longer necessary for the purposes for which it was collected, or if the processing is not permitted or no longer necessary. Exceptions occur if legal obligations require longer storage or if data must be retained for evidence purposes or to protect the rights of others.
In particular, data that must be stored for commercial or tax reasons, or that is necessary for legal claims or to defend against claims, must be archived accordingly.
Our privacy notices contain additional information on data retention and deletion for specific processing activities.
When multiple data retention periods apply, the longest applies. Data not needed for the original purpose but stored due to legal obligations are processed only to fulfill those obligations.
Data storage and deletion: The following general periods apply under German law:
- 10 years – Retention period for books, records, annual financial statements, inventories, management reports, opening balance sheets, and related organizational documents (§ 147 para. 1 No. 1 in conjunction with para. 3 AO, § 14b para. 1 UStG, § 257 para. 1 No. 1 in conjunction with para. 4 HGB).
- 8 years – Accounting documents such as invoices and receipts (§ 147 para. 1 No. 4 and 4a in conjunction with para. 3 AO and § 257 para. 1 No. 4 in conjunction with para. 4 HGB).
- 6 years – Other business documents of importance for taxation, e.g. received business correspondence, outgoing business correspondence, documents relevant for tax purposes, such as wage slips, cost accounting sheets, price tags, or payroll records, unless they are already bookkeeping records (§ 147 para. 1 No. 2, 3, 5 in conjunction with para. 3 AO, § 257 para. 1 No. 2 and 3 in conjunction with para. 4 HGB).
- 3 years – Data necessary to consider warranty and liability claims, or similar contractual claims, based on past business experience and industry practice, stored for the statutory limitation period of three years (§§ 195, 199 BGB).
The period begins at the end of the year in which the period expires. If a period does not specify a date and is at least one year, it starts at the end of the calendar year in which the triggering event occurred. For ongoing contractual relationships, the triggering event is the date of termination or other end of the legal relationship.
Business Services
We process personal data of our contractual and business partners, such as customers, clients, interested parties, suppliers, and other cooperation partners (collectively "partners"), for initiating, executing, and managing contractual relationships or similar legal relationships. This includes pre-contractual measures upon request and communication related to the respective contract.
The processing mainly serves the purpose of fulfilling our contractual main and ancillary obligations, such as service provision, updates, handling warranty or other issues, cancellations, refunds, and processing related declarations and inquiries. It covers both one-time contracts and ongoing relationships.
We process especially the following data: names, addresses, contact details, contract details, usage data, payment data, communication content, and history. If necessary, we also process data disclosed or transmitted to us during the contract execution.
Further, we process data to protect our rights and to comply with legal obligations, especially tax and commercial retention obligations, documentation duties, and proof and accountability requirements. Processing may also be based on our legitimate interests in proper business management, internal administration, risk control, IT security, and protection against abuse and other threats.
Data may be shared with third parties only if necessary for contractual fulfillment, pre-contractual measures, legitimate interests, or legal obligations. Additional processing, especially for marketing, is described separately in this privacy notice.
We inform our partners about which data are required in individual cases, e.g., in online forms by appropriate markings or in personal contact.
Data are deleted once no longer needed for the purposes mentioned and no legal retention obligations prevent deletion. Longer storage may be required by law, e.g., for tax or commercial reasons.
Legal basis for processing: Art. 6 para. 1 lit. b GDPR for contract performance and pre-contractual measures; Art. 6 para. 1 lit. c GDPR for legal obligations; Art. 6 para. 1 lit. f GDPR for legitimate interests, such as proper business management and security.
- Processed Data Types: inventory data, payment data, contact data, contract data, log data, usage data, meta-, communication-, and process data.
- Data Subjects: recipients, contractors, interested parties, business and contract partners, third persons.
- Purposes and Interests: providing contractual services, communication, business and administrative procedures, marketing, sales promotion, public relations, financial and payment management, security measures, IT infrastructure.
- Retention and Deletion: as specified in the "General Information on Data Storage and Deletion" section.
- Legal Bases: Art. 6 para. 1 lit. b, c, f GDPR.
Additional notes on processing processes, procedures, and services:
- Contact management and maintenance: procedures for managing, updating, and securing contact information, including creation of central contact databases, regular updates, access control, backups, and staff training; legal basis: Art. 6 para. 1 lit. b, f GDPR.
- General payment processing: procedures for executing payments, monitoring accounts, and controlling flows, such as transfers, direct debits, account reconciliations, and cash management; legal basis: Art. 6 para. 1 lit. b, f GDPR.
- Accounting, creditor and debtor management: recording, processing, and controlling transactions, invoicing, payment, collection, and reconciliation; legal basis: Art. 6 para. 1 lit. b, c, f GDPR.
- Financial accounting and taxes: recording, managing, and controlling financial transactions, preparing financial statements, tax declarations, and payments; legal basis: Art. 6 para. 1 lit. b, c, f GDPR.
- Marketing and advertising: activities for market analysis, targeting, campaign execution, content creation, online marketing, events, loyalty programs, performance measurement, and budget control; legal basis: Art. 6 para. 1 lit. f GDPR.
- Public relations: developing and executing communication strategies, press releases, media contacts, monitoring media coverage, organizing events, content creation for social media and websites; legal basis: Art. 6 para. 1 lit. f GDPR.
- Guest Wi-Fi: setup, operation, and monitoring of guest wireless networks, including security measures and access control; legal basis: Art. 6 para. 1 lit. b, c, f GDPR.
Provision of Online Services and Web Hosting
We process users’ data to make our online services available. For this purpose, we process the user's IP address, which is necessary to transmit content and functions of our online services to the user's browser or device.
- Processed Data Types: usage data, meta-, communication-, and process data, log data, content data.
- Data Subjects: users (website visitors, online service users).
- Purposes and Interests: providing our online services and usability, IT infrastructure, security measures, contractual performance, and compliance.
- Retention and Deletion: as specified in the "General Information on Data Storage and Deletion" section.
- Legal Bases: legitimate interests (Art. 6 para. 1 lit. f GDPR).
Further information on processing procedures, services, and providers:
- Provision of online offerings on rented servers: We use server providers (web hosts) for storage, computing, and related services; legal basis: Art. 6 para. 1 lit. f GDPR.
- Access logs and log files: We log access to our website in server logs, which include address, filename, date/time, transferred data, success status, browser type/version, OS, referrer URL, and IP address. These are used for security, performance, and troubleshooting; retention: up to 30 days unless needed longer for security reasons; legal basis: Art. 6 para. 1 lit. f GDPR.
- Email sending and hosting: We process email addresses and content to send and store emails, and may analyze for spam detection. Emails are generally not end-to-end encrypted by default; legal basis: Art. 6 para. 1 lit. f GDPR.
- Content Delivery Network (CDN): We use a CDN to distribute large media files faster and more securely; legal basis: Art. 6 para. 1 lit. f GDPR.
- 1&1 IONOS: Hosting services for infrastructure, storage, and related services; provider: 1&1 IONOS SE, Germany; legal basis: Art. 6 para. 1 lit. f GDPR; privacy policy: https://www.ionos.de/terms-gtc/terms-privacy.
- Vercel: Infrastructure and development environment services; provider: Vercel Inc., USA; legal basis: Art. 6 para. 1 lit. f GDPR; privacy policy: https://vercel.com/legal/privacy-policy; data transfer basis: standard contractual clauses (https://vercel.com/legal/dpa).
Use of Cookies
"Cookies" are functions that store and retrieve information on end devices. Cookies may serve purposes such as enabling functionality, security, user convenience, and analysis of visitor traffic. We use cookies according to legal requirements, including obtaining user consent where necessary. Cookies are essential for providing requested features and ensuring functionality and security. Consent can be revoked at any time. We inform clearly about the scope and cookies used.
Legal basis for data processing via cookies depends on consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests, especially when cookies are necessary to provide requested features.
Cookie durations vary:
- Temporary/session cookies: Deleted after the session ends or browser is closed.
- Permanent cookies: Remain on the device for up to two years unless deleted earlier.
Users can revoke consent and object to processing (opt-out), e.g., via browser settings.
- Processed Data Types: Meta-, communication-, and process data (IP addresses, timestamps, identifiers, involved persons).
- Data Subjects: users (website visitors, online service users).
- Legal Bases: Consent (Art. 6 para. 1 lit. a), legitimate interests (Art. 6 para. 1 lit. f GDPR).
Further notes on processes, procedures, and services:
- Processing of cookie data based on consent: We use a consent management tool to obtain, document, and manage user consents regarding cookies and similar technologies. This ensures compliance with legal requirements and allows users to manage their preferences. The consent status is stored, e.g., in cookies or server logs, for up to two years; legal basis: Art. 6 para. 1 lit. a GDPR.
Blogs and Publishing Media
We use blogs or similar online communication and publishing tools (collectively "publishing media"). The data of readers are processed only as necessary for display and communication purposes. Additional information about visitor data is provided in this privacy notice.
- Processed Data Types: inventory data, contact data, content data, usage data, meta-, communication-, and process data.
- Data Subjects: users (website visitors, online service users).
- Purposes and Interests: Feedback collection, providing our online presence, and usability.
- Retention and Deletion: as specified in the "General Information on Data Storage and Deletion" section.
- Legal basis: legitimate interests (Art. 6 para. 1 lit. f GDPR).
Contact and Inquiry Management
When contacting us (e.g., via mail, contact form, email, phone, or social media) or in the context of existing customer or business relationships, the data of the requesting persons are processed as necessary to answer inquiries and handle related measures.
- Processed Data Types: contact data, content data, communication data.
- Data Subjects: communication partners.
- Purposes and Interests: communication, organizational and administrative procedures, feedback, providing online services, and usability.
- Retention and Deletion: as specified in "General Information on Data Storage and Deletion".
- Legal basis: legitimate interests (Art. 6 para. 1 lit. f GDPR); contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR).
Further notes on processes, procedures, and services:
- Contact form: Data submitted via contact forms or other communication channels are processed solely to respond and handle the request. This typically includes name, contact info, and any additional info needed for processing. Legal basis: Art. 6 para. 1 lit. b, f GDPR.
- HubSpot CRM: Customer management, sales tracking, marketing automation, analytics, email campaigns, integration, and customer support; provider: HubSpot Ireland Limited; legal basis: Art. 6 para. 1 lit. b, f GDPR; privacy policy: https://legal.hubspot.com/de/privacy-policy; contract: https://legal.hubspot.com/dpa.
Artificial Intelligence (AI)
We deploy artificial intelligence (AI), processing personal data. The specific purposes and our interest in using AI are listed below. By AI, we mean a "AI system" as defined by the AI Regulation, an automated system designed for increasingly autonomous operation, adaptable after deployment, and capable of producing outputs such as predictions, content, recommendations, or decisions influencing physical or virtual environments.
Our AI systems are used in strict compliance with legal standards, including GDPR and specific AI regulations. We ensure principles like legality, transparency, fairness, human oversight, purpose limitation, data minimization, integrity, and confidentiality are followed. We verify that personal data processing is always legally grounded, either through consent or legal authorization.
When using external AI providers ("AI providers"), we select them carefully and ensure compliance with applicable laws. We also adhere to our obligations when operating or utilizing AI services. Data processing by us and the AI providers always occurs based on consent or legal authorization, emphasizing transparency, fairness, and human control over AI-driven decisions.
To protect processed data, we implement suitable technical and organizational measures to ensure data integrity and confidentiality, minimizing risks. Regular reviews of AI providers and their services help us maintain compliance with current legal and ethical standards.
- Processed Data Types: content data, usage data, and interaction data with content and functions.
- Data Subjects: users (website visitors, online service users), third persons.
- Purposes and Interests: Artificial Intelligence (AI).
- Storage and Deletion: as specified in the "General Information on Data Storage and Deletion".
- Legal Bases: Legitimate interests (Art. 6 para. 1 lit. f GDPR).
Further information on processing, procedures, and services:
- ChatGPT: AI service designed to understand and generate natural language, analyze information, and make predictions ("AI" in the legal sense); provider: OpenAI Ireland Ltd; legal basis: Art. 6 para. 1 lit. f GDPR; website: https://openai.com/de-DE/chatgpt/overview/; privacy policy: https://openai.com/de-DE/policies/privacy-policy/; opt-out: https://privacy.openai.com/policies?modal=select-subject.
- Google Gemini: AI system for advanced language and image processing, utilizing machine learning for understanding and generating language and analyzing images; provider: Google Cloud EMEA Limited; legal basis: Art. 6 para. 1 lit. f GDPR; website: https://cloud.google.com/; privacy policy: https://business.safety.google/privacy/; data transfer basis: Data Privacy Framework (DPF), standard contractual clauses.
- Claude API: AI service for understanding and generating natural language and related inputs; provider: Anthropic PBC; legal basis: Art. 6 para. 1 lit. f GDPR; website: https://www.anthropic.com/; privacy policy: https://www.anthropic.com/legal/privacy; data transfer basis: standard contractual clauses.
Cloud Services
We use software services accessible via the internet and operated on the servers of their providers (also known as "Cloud Services," also referred to as "Software as a Service") for storing and managing content (e.g., document storage and management, exchange of documents, content, and information with certain recipients, or publishing content and information).
Within this framework, personal data may be processed and stored on the providers' servers, insofar as these are part of communication processes with us or are otherwise processed by us, as outlined in this privacy policy. These data may include, in particular, master data and contact details of users, data related to transactions, contracts, other processes, and their content. Cloud service providers also process usage data and metadata, which they use for security purposes and service optimization.
If we provide forms or other documents and content via cloud services for other users or publicly accessible websites, the providers may store cookies on users' devices for web analysis purposes or to remember user settings (e.g., media control preferences).
- Types of Data Processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., textual or visual messages and posts, as well as related information such as authorship or creation time); usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features).
- Data Subjects: Interested parties; communication partners; business and contract partners; users (e.g., website visitors, online service users).
- Purposes of Processing and Legitimate Interests: Office and organizational procedures; IT infrastructure (operation and provision of information systems and technical devices like computers, servers, etc.).
- Storage and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion".
- Legal Bases: Legitimate interests (Art. 6 para. 1 lit. f GDPR).
Additional notes on processing procedures, methods, and services:
- Google Cloud Storage: Cloud storage, cloud infrastructure services, and cloud-based application software; Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Bases: Legitimate interests (Art. 6 para. 1 lit. f GDPR); Website: https://cloud.google.com/; Privacy Policy: https://business.safety.google/privacy/; Data Processing Addendum: https://cloud.google.com/terms/data-processing-addendum; Basis for Third-Country Transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://cloud.google.com/terms/eu-model-contract-clause). More Information: https://cloud.google.com/privacy.
- Google Workspace: Cloud-based applications (e.g., document and spreadsheet editing, calendar and contacts management), cloud storage, and cloud infrastructure services; Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Bases: Legitimate interests (Art. 6 para. 1 lit. f GDPR); Website: https://workspace.google.com/; Privacy Policy: https://business.safety.google/privacy/; Data Processing Addendum: https://cloud.google.com/terms/data-processing-addendum; Basis for Third-Country Transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://cloud.google.com/terms/eu-model-contract-clause). More Information: https://cloud.google.com/privacy.
Newsletter and Electronic Notifications
We send newsletters, emails, and other electronic notifications (hereinafter "Newsletter") exclusively with the recipients' consent or based on a legal basis. If the content of the newsletter is specified during registration, that content is decisive for the user's consent. Usually, providing your email address is sufficient for registration. To offer personalized services, we may also ask for your name for personal addressing in the newsletter or additional information if necessary for the newsletter's purpose.
Deletion and Restriction of Processing: We can store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, to prove that consent was previously given. The processing of this data is limited to the purpose of potentially defending against claims. An individual deletion request is always possible, provided that the existence of prior consent is also confirmed. In case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocking list ("blocklist").
The registration process is logged based on our legitimate interests to demonstrate its proper process. If we commission a service provider to send emails, this is also based on our legitimate interests in an efficient and secure mailing system.
Content:
Information about us, our services, promotions, and offers.
- Processed Data Types: Inventory data (e.g., full name, residential address, contact info, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); meta-, communication-, and process data (e.g., IP addresses, timestamps, identifiers, involved persons); usage data (e.g., page views, duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features).
- Data Subjects: Communication partners.
- Purposes and Legitimate Interests: Direct marketing (e.g., via email or postal mail).
- Legal Bases: Consent (Art. 6 para. 1 lit. a GDPR). Legitimate interests (Art. 6 para. 1 lit. f GDPR).
- Right to Object (Opt-Out): You can unsubscribe from our newsletter at any time, i.e., revoke your consent or object to further receipt. A link to unsubscribe is included at the end of each newsletter or can be used via other contact options, preferably email.
Additional notes on processing procedures, methods, and services:
- Measuring open and click rates: Our newsletters include a so-called "web beacon," a tiny pixel-sized file that is retrieved from our or a third-party server when the newsletter is opened. This retrieval collects technical information such as browser and system details, your IP address, and the time of access. This information is used to technically improve our newsletter based on technical data, target groups, and reading behavior, such as location (via IP address) or access times. It also helps determine if and when newsletters are opened and which links are clicked. The information is assigned to individual recipients and stored in their profiles until deletion. Based on this, user profiles are created to store behavior and user characteristics. The measurement of open and click rates and the storage of results in user profiles, as well as further processing, are based on user consent. A separate withdrawal of this success measurement is unfortunately not possible; in that case, the entire newsletter subscription must be canceled or objected to. In such cases, stored profile information is deleted; Legal basis: Consent (Art. 6 para. 1 lit. a GDPR).
- HubSpot email marketing: Sending emails, creating personalized campaigns, automating workflows, segmenting target groups, integrating with CRM systems, analyzing performance via reports and dashboards; Provider: HubSpot Ireland Limited, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 lit. f GDPR); Website: https://www.hubspot.com/products/marketing/email; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Addendum: https://legal.hubspot.com/dpa.
Web Analytics, Monitoring, and Optimization
Web analytics (also called "reach measurement") analyzes visitor flows on our online offerings and can include behavior, interests, or demographic data such as age or gender in pseudonymous form. This allows us to recognize when our online service or its functions or content are most used, or to invite reuse. It also helps us identify areas needing optimization.
Besides web analytics, we may also use testing methods to evaluate and optimize different versions of our online offerings or their components.
Unless otherwise specified below, profiles (aggregated data for a usage process) may be created and information stored in a browser or on a device and read out later. This includes visited websites, used elements, technical details like browser and operating system, usage times, etc. If users have consented to the collection of their location data, this can also be processed.
Furthermore, users’ IP addresses are stored. However, we use IP masking (pseudonymization by shortening the IP address) to protect users. Generally, no raw user data (such as email addresses or names) are stored in web analytics, A/B testing, or optimization procedures, but pseudonymous data. This means neither we nor the software providers know the actual identity of users but only the data stored in their profiles for those procedures.
Legal basis notes: If we ask users for their consent to use third-party services, the legal basis for data processing is the consent. Otherwise, data are processed based on our legitimate interests (interest in efficient, economical, and recipient-friendly services). We also refer to the information on cookie usage in this privacy policy.
- Processed Data Types: Usage data (page views, duration, click paths, frequency, device types, interactions); meta-, communication-, and process data (IP addresses, timestamps, identifiers, involved persons); location data (geographical info of devices or persons).
- Data Subjects: Users (website visitors, online service users).
- Purposes and Interests: Reach measurement, profiling, providing services, remarketing, conversion tracking, audience segmentation, marketing, user profiling, usability, and optimization; interest-based and behavioral profiling using cookies.
- Storage and Deletion: As per "General Information on Data Storage and Deletion"; cookies stored up to 2 years unless specified otherwise.
- Security Measures: IP masking (pseudonymization).
- Legal Bases: Consent (Art. 6 para. 1 lit. a GDPR). Legitimate interests (Art. 6 para. 1 lit. f GDPR).
Additional information on processing, procedures, and services:
- Google Analytics: We use Google Analytics for measuring and analyzing the use of our online services based on a pseudonymous user ID. This ID contains no personal data like names or emails and is used to assign analysis info to a device, recognizing content accessed, search terms used, interactions, and time. Data such as IP addresses are anonymized (geolocation at city level). The system is designed to process data on EU servers only; Provider: Google Ireland Limited; Legal basis: Consent (Art. 6 para. 1 lit. a GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy Policy: https://business.safety.google/privacy/; Data Processing Contract: https://cloud.google.com/terms/data-processing-addendum; Basis for Third-Country Transfers: Data Privacy Framework (DPF); Opt-Out: https://tools.google.com/dlpage/gaoptout?hl=de
- Google Tag Manager: We use Google Tag Manager to centrally manage website tags. It does not create user profiles, store cookies, or analyze data itself; it only manages other tags. IP addresses are transmitted to Google for technical purposes. Provider: Google Ireland Limited; Legal basis: Consent (Art. 6 para. 1 lit. a GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Data Processing Contract: https://business.safety.google/adsprocessorterms
- HubSpot Tracking Code: Collects visitor data like website activity, IP address, and identifiers to monitor traffic and analyze user behavior, helping optimize content, improve engagement, and measure marketing effectiveness; Provider: HubSpot Ireland Limited; Legal basis: Consent (Art. 6 para. 1 lit. a GDPR); Website: https://knowledge.hubspot.com/account/how-does-hubspot-track-visitors; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa
Web Analytics, Monitoring, and Optimization
Web analytics (also known as "reach measurement") serves to evaluate the flow of visitors to our online offerings and can include behavior, interests, or demographic information about visitors, such as age or gender, in pseudonymous form. Using reach analysis, we can, for example, determine when our online offering or its functions or content are most frequently used, or invite reuse. It also enables us to understand which areas need optimization.
In addition to web analytics, we may also use testing procedures to evaluate and optimize different versions of our online offering or its components.
Unless stated otherwise below, profiles—which are collections of data related to a usage process—may be created for these purposes, and information can be stored in a browser or on a device and read back. The data collected includes, in particular, visited websites and used elements, as well as technical information such as the browser used, the computer system, and details about usage times. If users have consented to the collection of their location data with us or the providers of the services we use, location data may also be processed.
Furthermore, users' IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, in web analytics, A/B testing, and optimization, no raw user data (such as email addresses or names) are stored but pseudonymous data. This means neither we nor the providers of the software used know the actual identity of users, only the data stored in their profiles for the respective procedures.
Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is the consent. Otherwise, user data are processed based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). We also want to point out the information on the use of cookies in this privacy policy.
- Types of Data Processed: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features). Meta-, communication-, and process data (e.g., IP addresses, timestamps, identifiers, involved persons).
- Data Subjects: Users (e.g., website visitors, online service users).
- Purposes of Processing and Legitimate Interests: Reach measurement (e.g., access statistics, recognition of repeat visitors); profiles with user-related information (creating user profiles); providing our online services and usability; remarketing; conversion measurement (measuring the effectiveness of marketing activities); marketing; tracking (e.g., interest-/behavior-based profiling, use of cookies). Audience formation.
- Storage and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion". Cookies are stored for up to 2 years unless otherwise specified (i.e., cookies and similar storage methods may be stored on users' devices for a period of two years).
- Security Measures: IP masking (pseudonymization of IP addresses).
- Legal Bases: Consent (Art. 6 para. 1 lit. a GDPR). Legitimate interests (Art. 6 para. 1 lit. f GDPR).
Further notes on processing procedures, methods, and services:
- Google Analytics: We use Google Analytics to measure and analyze the usage of our online offerings based on a pseudonymous user identification number. This ID contains no personal data such as names or email addresses. It is used to assign analysis information to a device to recognize which content users accessed within one or several usage processes, which search terms they used, whether they revisited, or interacted with our online offering. The time of use and its duration, as well as the sources that refer users to our online offering and technical details about their devices and browsers, are also stored.
Profiles of users with information from the use of different devices are created using cookies. Google Analytics does not log or store individual IP addresses for EU users. However, it provides coarse geographic location data derived from IP addresses, such as city (and the derived latitude and longitude), continent, country, region, subcontinent (and ID-based equivalents). For EU traffic, IP address data are only used for this geolocation derivation and are immediately deleted afterward. They are not logged, not accessible, and not used for other purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the data are forwarded for processing; Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6 para. 1 lit. a GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy Policy: https://business.safety.google/privacy/; Data Processing Contract: https://cloud.google.com/terms/data-processing-addendum; Basis for Third-Country Transfers: Data Privacy Framework (DPF); Opt-Out: https://tools.google.com/dlpage/gaoptout?hl=de - Google Tag Manager: We use Google Tag Manager, a software from Google, which allows us to centrally manage website tags via a user interface. Tags are small code snippets on our website that collect and analyze visitor activity. This technology helps us improve our website and the content offered on it. Google Tag Manager itself does not create user profiles, store cookies with user profiles, or perform independent analyses. Its function is limited to simplifying the integration and management of tools and services used on our website. Nevertheless, when using Google Tag Manager, the IP address of users is transmitted to Google, which is necessary for implementing the services we use. Cookies may also be set during this process. This data processing only occurs when services are embedded via the Tag Manager. For more details about these services and their data processing, refer to the relevant sections of this privacy policy; Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6 para. 1 lit. a GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Data Processing Contract: https://business.safety.google/adsprocessorterms.
- HubSpot Tracking Code: The tracking code and the tracking pixel collect visitor data, including website activities, IP addresses, and online identifiers, to monitor website traffic and analyze user behavior. These insights help identify visiting companies, assign visits to known contacts, and store information about browsers and devices. The data contribute to optimizing user experience and website performance. The collected data include the company domain (if self-identified by filling out a form or registering), IP address, timestamp of visits, visitor ID, page views, clicks, and device information. Interactions such as scroll behavior, time spent on pages, navigation paths, and referring URLs are also recorded to enable more precise analysis of visitor behavior and detailed insights into visitor journeys. This data is processed based on cookie consent and account settings to improve digital services, generate reports on website traffic and interactions, and refine strategies for content optimization and user engagement. Analyzing user behavior allows companies to tailor content, improve conversion rates, and optimize marketing activities. Additionally, the tracking helps identify repeat visits, segment target groups, and personalize user experiences based on past interactions. These mechanisms also enable companies to track leads and assess the effectiveness of marketing campaigns by analyzing click-through rates, form submissions, and interactions with calls to action. These data help optimize strategies, better target audiences, and maximize engagement with digital content; Provider: HubSpot Ireland Limited, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland; Legal bases: Consent (Art. 6 para. 1 lit. a GDPR); Website: https://knowledge.hubspot.com/account/how-does-hubspot-track-visitors; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Contract: https://legal.hubspot.com/dpa
- umami: Web analytics, reach measurement, and user behavior analysis; conducted pseudonymously and without creating user profiles; all user data are stored anonymously, meaning without personal data and without using cookies or similar persistent online identifiers; Service provider: executed on servers and/or computers under their own data protection responsibility; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://umami.is. Privacy Policy: https://umami.is/privacy.
Online Marketing
We process personal data for the purpose of online marketing, which may include the marketing of advertising space or the presentation of advertising and other content (collectively referred to as "content") based on potential user interests and measuring their effectiveness.
For these purposes, so-called user profiles are created and stored in a file ("cookie") or similar procedures are used to save relevant information about the user for the presentation of the aforementioned content. This can include, for example, viewed content, visited websites, used online networks, as well as communication partners and technical details such as the browser used, the computer system, and information about usage times and functions used. If users have consented to the collection of their location data, these can also be processed.
Additionally, users' IP addresses are stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no raw user data (such as email addresses or names) are stored in online marketing processes, only pseudonymous data. This means neither we nor the providers of the online marketing tools know the actual identity of users, only the data stored in their profiles for the respective procedures.
The information in profiles is usually stored in cookies or through similar procedures. These cookies can later also be read on other websites using the same online marketing tool, analyzed for content presentation, supplemented with additional data, and stored on the service provider’s server.
In exceptional cases, it is possible to associate raw data with profiles, especially if users are members of a social network whose online marketing tools we use and the network links user profiles with the aforementioned data. Users should note that additional agreements may be made with the providers, for example through consent during registration.
We generally only gain access to aggregated information about the success of our advertisements. However, in the context of so-called conversion measurement, we can check which of our online marketing tools led to a so-called conversion, e.g., a contract conclusion with us. Conversion measurement is used solely for analyzing the success of our marketing activities.
Unless otherwise stated, you should assume that cookies used are stored for a period of two years.
Notes on legal bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is that consent. Otherwise, user data are processed based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). We also want to point out the information on the use of cookies in this privacy policy.
Notes on revocation and objection:
We refer to the privacy notices of the respective providers and the opt-out options provided (so-called "Opt-Out"). If no explicit opt-out possibility is given, users can disable cookies in their browser settings, which may limit the functionality of our online services. We additionally recommend the following opt-out options, which are offered collectively for specific regions:
a) Europe: https://youronlinechoices.eu/
b) Canada: https://youradchoices.ca/
c) USA: https://optout.aboutads.info/
d) Cross-regional: https://optout.aboutads.info
- Types of Data Processed: Content data (e.g., text or image messages and posts, and related information such as authorship or creation time); usage data (e.g., page views, duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features); meta-, communication-, and process data (e.g., IP addresses, timestamps, identifiers, involved persons). Event data (Facebook) ("Event data" refers to information sent via Meta Pixel (via apps or other channels) about persons or their actions. This includes details about website visits, interactions with content and functions, app installs, and product purchases. Event data is processed to create target groups for content and advertising messages (Custom Audiences). It's important to note that event data does not include actual content like comments, login information, or contact details such as names, email addresses, or phone numbers. "Event data" is deleted by Meta after a maximum of two years, and the target groups created from it disappear when our Meta user accounts are deleted).
- Data Subjects: Users (e.g., website visitors, online service users).
- Purposes of Processing and Legitimate Interests: Reach measurement (e.g., access statistics, recognition of repeat visitors); tracking (e.g., interest-/behavior-based profiling, use of cookies); conversion measurement (assessing the effectiveness of marketing activities); audience formation; marketing; profiles with user-related information (creating user profiles); providing our online offerings and usability; remarketing.
- Storage and Deletion: As specified in the section "General information on data storage and deletion". Cookies are stored for up to 2 years unless otherwise specified (cookies and similar storage methods may be stored on users' devices for up to two years).
- Security measures: IP masking (pseudonymization of IP addresses).
- Legal bases: Consent (Art. 6 para. 1 lit. a GDPR). Legitimate interests (Art. 6 para. 1 lit. f GDPR).
Further notes on processing procedures, methods, and services:
- Meta Pixel and Audience Formation (Custom Audiences): Using Meta Pixel (or similar functions for transmitting event data or contact information via interfaces in apps), Meta can determine the visitors of our online offering as a target audience for displaying ads ("Meta Ads"). We use the Meta Pixel to ensure that the Meta ads we run are only shown to users who have shown interest in our online offering or have certain characteristics (e.g., interest in certain topics or products derived from visited websites), which we transmit to Meta ("Custom Audiences"). The Meta Pixel also helps us verify the effectiveness of Meta ads for statistical and market research purposes, for example, by seeing if users were redirected to our website after clicking on a Meta ad ("conversion measurement"). Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Consent (Art. 6 para. 1 lit. a GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Data Processing Contract: https://www.facebook.com/legal/terms/dataprocessing; Basis for Cross-Border Data Transfers: Data Privacy Framework (DPF); Further Information: User event data, i.e., behavior and interest information, are processed for targeted advertising and audience building based on the joint controllership agreement ("Controller Addendum") (https://www.facebook.com/legal/controller_addendum). The joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, an EU-based company. The further processing of data, including possible transfer to Meta Platforms Inc. in the USA, is solely the responsibility of Meta Platforms Ireland Limited.
- Google Ad Manager: We use the service "Google Ad Manager" to place ads in the Google ad network (e.g., in search results, videos, websites). Google Ad Manager shows ads in real-time based on presumed user interests, allowing us to display ads to users who might be interested in our offerings or have previously shown interest, and to measure the success of the ads. Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 lit. f GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Basis for Cross-Border Data Transfers: Data Privacy Framework (DPF); Further Information: Types of processing and data: https://business.safety.google/adsservices/; Data Processing Terms for Google advertising products: https://business.safety.google/adscontrollerterms; If Google acts as a processor, data processing terms for Google advertising products and standard contractual clauses for cross-border data transfers: https://business.safety.google/adsprocessorterms.
- Google Ads Remarketing: Google remarketing, also called retargeting, is a technology that allows users of an online service to be added to a pseudonymous remarketing list, so that ads related to their visit to the online service can be shown on other online offerings. Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6 para. 1 lit. a GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Basis for Cross-Border Data Transfers: Data Privacy Framework (DPF); Further Information: Types of processing and data: https://business.safety.google/adsservices/. Data processing conditions between controllers and standard contractual clauses for cross-border data transfers: https://business.safety.google/adscontrollerterms.
- Instagram Ads: Running ads within the Instagram platform and analyzing ad results; Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Consent (Art. 6 para. 1 lit. a GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/; Basis for Cross-Border Data Transfers: Data Privacy Framework (DPF).
Social Media Presence
We maintain online presences within social networks and process user data in this context to communicate with active users or provide information about us.
We point out that user data may be processed outside the European Union. This can pose risks for users, such as complicating the enforcement of their rights.
Furthermore, user data within social networks are typically processed for market research and advertising purposes. For example, usage profiles can be created based on usage behavior and resulting interests. These profiles may also be used to display ads within and outside the networks that are presumed to match the interests of the users. As a result, cookies are usually stored on users' devices, containing their usage behavior and interests. Additionally, data can be stored independently of the devices used by users (especially if they are members of the respective platforms and logged in).
For a detailed description of the respective processing methods and opt-out options, please refer to the privacy notices and information provided by the operators of the respective networks.
We also point out that in case of inquiries and exercising data subject rights, these are most effectively asserted directly with the providers. Only they have access to the user data and can take direct action and provide information. If you need assistance, you can contact us.
- Processed Data Types: Contact data (e.g., postal and email addresses or phone numbers); content data (e.g., text or image messages and posts, and related information such as authorship or creation time); usage data (e.g., page views, duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features).
- Data Subjects: Users (e.g., website visitors, online service users).
- Purposes of Processing and Legitimate Interests: Communication; feedback (e.g., collecting feedback via online forms); public relations.
- Storage and Deletion: As specified in the section "General information on data storage and deletion".
- Legal bases: Legitimate interests (Art. 6 para. 1 lit. f GDPR).
Further notes on processing procedures, methods, and services:
- Instagram: Social network enabling photo and video sharing, commenting, favoriting posts, messaging, following profiles and pages; Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 lit. f GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for Cross-Border Data Transfers: Data Privacy Framework (DPF).
- Facebook Pages: Profiles within the Facebook social network - The data controller is jointly responsible with Meta Platforms Ireland Limited for collecting and transmitting data of visitors to our Facebook page ("Fanpage"). This includes information about user behavior (e.g., viewed or interacted content, actions performed) and device information (e.g., IP address, operating system, browser type, language settings, cookie data). Details can be found in Facebook's data policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical evaluations via the "Page Insights" service, showing how people interact with our page and its content. The basis for this is an agreement with Facebook ("Page Insights" information: https://www.facebook.com/legal/terms/page_controller_addendum), which includes security measures and the exercise of data subjects' rights. Users can make inquiries or delete data directly with Facebook. The rights (e.g., right to information, deletion, objection, complaint to a supervisory authority) are not affected. The joint responsibility is limited to the collection of data by Meta Platforms Ireland Limited, an EU-based company. Further processing, including possible transfer to Meta Platforms Inc. in the USA, is solely the responsibility of Meta Platforms Ireland Limited.
- Facebook Events: Event profiles within Facebook - We use the "Events" feature of Facebook to promote events and appointments, communicate with participants and interested parties, and exchange information. We process personal data of users of our event pages as needed for event management and moderation. This includes names, content shared or posted, participation status, and timestamps. We also refer to Facebook's data processing: details about content viewed or interacted with, device information (e.g., IP address, OS, browser, cookies), as well as actions taken (see "Things you and others do and provide" in Facebook's data policy: https://www.facebook.com/privacy/policy/). Facebook also collects data for analytics ("Insights") to understand interactions with events and content. Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 lit. f GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for Cross-Border Data Transfers: Data Privacy Framework (DPF).
- LinkedIn: Social network - We are jointly responsible with LinkedIn Ireland Unlimited Company for collecting (but not further processing) visitor data used to generate "Page Insights" (statistics) for our LinkedIn profiles. This includes information about viewed or interacted content, actions taken, device details (IP, OS, browser, cookies), and profile details (job function, country, industry, hierarchy level, company size, employment status). Details on data processing by LinkedIn can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy. We have a special agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum": https://legal.linkedin.com/pages-joint-controller-addendum), which specifies security measures and LinkedIn's obligation to fulfill data subjects' rights (e.g., inquiries, deletion requests). The rights of users do not differ from those under this agreement. The joint responsibility covers only the collection and transmission of data to LinkedIn Ireland Limited, an EU company. Further processing, including transfer to LinkedIn Corporation in the USA, is the sole responsibility of LinkedIn Ireland Limited.
Plugins, Embedded Functions, and Content
We embed functional and content elements from servers of their respective providers (referred to as "third-party providers"). These can include graphics, videos, or maps (collectively "content").
The embedding always requires that the third-party providers process the IP address of users, as they cannot send content to the users' browsers without it. The IP address is thus necessary for displaying these contents or functions. We strive to use only content whose providers only use the IP address for delivery. Third-party providers may also use pixel tags (invisible graphics, also called "web beacons") for statistical or marketing purposes. These tags can evaluate information such as visitor traffic, and the pseudonymous data may be stored in cookies on the user's device, containing technical details like browser and OS, referrer URLs, visit times, and other usage data, possibly linked with other sources.
Notes on legal bases: If we ask users for their consent to use third-party content, the legal basis is that consent. Otherwise, user data are processed based on our legitimate interests (interest in efficient, economical, and user-friendly services). We also point out the information on cookie usage in this privacy policy.
- Types of Data Processed: Usage data (page views, duration, click paths, device types, OS, interactions); meta-, communication-, and process data (IP addresses, timestamps, identifiers, involved persons); location data (geographical position of a device or person).
- Data Subjects: Users (website visitors, online service users).
- Purposes of Processing and Legitimate Interests: Providing our online services and usability; reach measurement; tracking; audience formation; marketing; fulfilling contractual obligations.
- Storage and Deletion: As specified in "General information on data storage and deletion". Cookies are stored for up to 2 years unless otherwise specified (similar storage methods on users' devices).
- Legal bases: Consent (Art. 6 para. 1 lit. a GDPR). Legitimate interests (Art. 6 para. 1 lit. f GDPR).
Further notes on processing procedures, methods, and services:
- Embedding third-party software, scripts, or frameworks (e.g., jQuery): We embed software from other providers' servers (e.g., libraries for display or usability). These providers may collect IP addresses to deliver the software, ensure security, or optimize their service. Our embedding of such software is based on legitimate interests (Art. 6 para. 1 lit. f GDPR).
- Google Fonts (hosted on our server): Fonts are provided for user-friendly display; no data are transmitted to Google; based on legitimate interests (Art. 6 para. 1 lit. f GDPR).
- Google Maps: We embed maps from Google Maps. Data processed can include IP addresses and location data; Provider: Google Cloud EMEA Limited, Dublin, Ireland; Legal bases: Consent (Art. 6 para. 1 lit. a GDPR); Website: https://mapsplatform.google.com/; Privacy Policy: https://business.safety.google/privacy/; Basis for Cross-Border Data Transfers: Data Privacy Framework (DPF).
- reCAPTCHA: We use reCAPTCHA to verify whether inputs (e.g., in online forms) are made by humans or automated bots. Data processed can include IP addresses, system and browser information, language settings, location, mouse movements, keystrokes, time spent on pages, previous visits, interactions with reCAPTCHA on other sites, cookies, and results of manual recognition steps (e.g., answering questions, selecting images). Data processing is based on our legitimate interest to protect our online offering from abuse and spam; Provider: Google Ireland Limited, Dublin, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 lit. f GDPR); Website: https://cloud.google.com/security/products/recaptcha; Privacy Policy: https://business.safety.google/privacy/; Data Processing Contract: https://cloud.google.com/terms/data-processing-addendum; Basis for Cross-Border Data Transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://cloud.google.com/terms/sccs/eu-c2p).
- YouTube Videos: Video content; Provider: Google Ireland Limited, Dublin, Ireland; Legal bases: Consent (Art. 6 para. 1 lit. a GDPR); Website: https://www.youtube.com; Privacy Policy: https://business.safety.google/privacy/; Basis for Cross-Border Data Transfers: Data Privacy Framework (DPF). Opt-Out: https://tools.google.com/dlpage/gaoptout?hl=de, and ad personalization settings at https://myadcenter.google.com/personalizationoff.
- Adobe Fonts: Providing fonts for web and print designs, font synchronization across devices, access to a library of licensed fonts for creative projects, and managing fonts within projects; Provider: Adobe Systems Software Ireland, Dublin, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 lit. f GDPR); Website: https://www.adobe.com/de/; Privacy Policy: https://www.adobe.com/de/privacy.html; Basis for Cross-Border Data Transfers: Data Privacy Framework (DPF); Further Information: https://www.adobe.com/de/privacy/policies/adobe-fonts.html.