Thank you for the interest you have shown in our website and the services we offer. We attach great importance to protecting your personal details. We would like to provide detailed information below on the data we collect when you visit our website and use our services and how we subsequently process and use these, as well as the accompanying technical and organizational measures we adopt to protect your privacy.
I. Scope of application and regulatory foundations
(1) This Privacy Notice provides information about the nature, scope and purpose of the processing of personal data in connection with our online services and the affiliated web pages, functions and content.
(2) As regards the terms used, e. g. “personal data” or their “processing”, please refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
(3) The term “user” includes all categories of persons affected by data processing. This includes our business partners, (potential) customers, and other visitors of our websites. The terms used, such as “user”, are used in a gender-neutral manner.
(4) The term “user” includes all categories of persons affected by data processing. This includes our business partners, (potential) customers, and other visitors of our websites. The terms used, such as “user”, are used in a gender-neutral manner.
- Inventory data (e.g. names and addresses of customers);
- Contact data (e. g. email address, phone number);
- Contract data (e.g. services requested or purchased products);
- Usage data (e.g. websites of our online content that you visited, interests in our services and products);
- Content data (e.g. text entries), as well as
- Technical data (e.g. IP addresses, device information)
(5) The personal data of users are processed for the following purposes in particular:
- Provision of the website, its functions and contents;
- Provision of our contractual services;
- Customer care;
- Replies to contact requests and communication with users;
- Marketing, as well as
- Security of the website.
(6) We only process personal data of the users in strict compliance with the relevant data protection provisions. This means that the data of users are only processed if a statutory permission applies. In particular, this is the case where data processing is necessary or mandatory by law to provide our contractual services (e.g. to process contracts and orders) and for our online services, where the users granted permission or where processing is based on our legitimate interest. Legitimate interests can be the analysis, optimisation, security and the economic operation of our website.
(7) We point out that the legal basis for consents is Art. 6(1) point (a) and Art. 7 GDPR, the legal basis for the processing for performance of our services and execution of contractual measures Art. 6(1) point (b) GDPR, the legal basis for the processing for compliance with our legal obligation Art. 6(1) point (c) GDPR and the legal basis for the processing in order to safeguard our legitimate interests Art. 6(1) point (f) GDPR.
II. Security measures
(1) In accordance with Art. 32 of the GDPR, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This is to protect the data processed by us especially against accidental or deliberate manipulation, loss, deletion or unauthorised third-party access. The safety measures also include the encrypted transfer of data between your browser and our server.
(2) In addition, we have put procedures in place that ensure compliance with the rights of data subjects, the erasure of data and a reaction to hazards to data security.
III. Data Dissemination to Third Parties and Third-Party Suppliers
(1) Where in the context of processing we do disclose or transmit your data to other persons and companies (processors or third parties) or otherwise give third parties access to the data, this will only be on the basis of a legal permission. This apples, for example, to a transmission of data to third parties pursuant to Art. 6(1) point (b) GDPR, if this is necessary for contract fulfilment, if you have granted consent (Art. 6(1) point (a), and Art. 7 GDPR), if a legal obligation so provides (Art. 6(1) point (c) GDPR) or based on our legitimate interests pursuant to Art. 6(1) point (f) GDPR (e.g. when using vicarious agents, web hosts, etc.).
(2) ) Where we process data in a third country (i.e. outside the European Union or the European Economic Area) or where we do so using third-party services or where such processing takes place subject to disclosure or transmission of data to third parties, this only takes place if the special conditions set out in Art. 44 et seqq. GDPR are met in addition. That means the processing is based on special safeguards, such as an official decision that the level of data protection corresponds to that of the EU (e.g. ‘Privacy Shield’ for the US), or in compliance with officially recognised special contractual commitments (so-called ‘standard contractual clauses’).
(3) If we commission third parties with the processing of data in terms of a so-called ‘data-processing contract’, this will be on the basis of Art. 28 of the GDPR.
IV. Collection of access data and log files
(1) We will collect data on each access to the server where the service is hosted (referred to as server log files) based on our legitimate interests as defined by Art. 6(1) point (f) GDPR. These data are required for technical reasons to display our website for you and to ensure its stability and security. Access data in particular include the name of the web page visited, the file, the date and time of access, the volume of data transferred, a notification of successful access, the browser type and version used, the user’s operating system, the previously visited web page, and the IP address.
(2) Log file information shall be saved for a maximum of seven days for security reasons (e. g. clarification of acts of misuse or fraud) and shall be erased afterwards. Data which must be retained for longer periods for the purpose of evidence are exempted from erasure until the respective incident has been cleared up definitively.
V. Provision of contractually-agreed services
(1) We process inventory, contact, contract, and content data in order to comply with our contractual obligations and services pursuant to Art. 6(1) point (b) GDPR. The entries which are marked as mandatory in online forms are required to conclude the contract.
(2) User data can be saved in our customer relationship management system (“CRM system”). We use the CRM System Pipedrive of Pipedrive OÜ, Paldiski mnt 80, Tallinn 10617, Estonia, based on our legitimate interests (efficient and quick processing of customer enquiries and customer relationships) as well as on a contract for contract data processing pursuant to Art. 28 GDPR.
(3) Users that utilise our software service have to register and to create a user account from which they can, amongst others, access the license booked by them and their invoices. During the registration, the user is informed about the required mandatory information. The user account is deleted by terminating the contractual relationship the use of the software is based on.
(4) In case of registration and subsequent log-ins as well as the use of our online services, we save the IP address and the time of the user action. The saving of data is based on our own and also the users’ legitimate interests in the protection against misuse and other unauthorised use. These data are generally not transmitted to any third party except it is required for the pursuit of our claims or there is a legal obligation acc. to Art. 6(1) point (c) GDPR. The stored data will be erased automatically after 7 days. Data which must be retained for longer periods for the purpose of evidence are exempted from erasure until the respective incident has been cleared up definitively.
(5) The erasure of data to provide contractually agreed services shall take place after expiry of statutory and comparable obligations. If statutory archiving obligations apply, the data shall be erased when these obligations expire (end of retention requirement acc. to commercial (6 years) or tax law (10 years)). Entries in any customer account remain there until they are deleted.
VI. Contacting us
If you contact us by email, the user information is processed for the purpose of handling the contact request in accordance with Art. 6(1) point (b) GDPR. We delete the data collected in this context after their storage is no longer required, or limit processing if there are statutory retention obligations.
(1) In the following, we will inform you about the content of our newsletter as well as the registration and sending procedure and your rights to object. By subscribing to our newsletter, you agree to receive the newsletter and to the described procedure.
(2) We only send newsletters containing advertisements by email if the recipients have consented to this or if legally permitted. Our newsletters contain information on our products and services, events and our company.
(3) Registration for our newsletter is based on a so-called double opt in procedure. This means that after registration, you will receive an email in which you are asked to confirm your registration. This confirmation is required to ensure that nobody can register using other people’s email addresses. Registrations for the newsletter will be recorded to be able to provide proof of the registration process according to the legal requirements. This includes the saving of the registration and confirmation time as well as the IP address. This serves as a means of proof of your subscription and, if applicable, to resolve any misuse of your personal data. This takes place on the basis of Art. 6(1) point (f) GDPR.
(4) The newsletter is sent using “MailChimp”, a newsletter dispatch platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The data protection provisions of the distribution service provider can be viewed at: https://mailchimp.com/legal/privacy/. Rocket Science Group LLC d/b/a MailChimp has been certified under the Privacy Shield agreement and thus provides a guarantee for compliance with the European data protection level,
(5) To register for the newsletter, you only have to provide your email address. In order to be able to address you personally, we would like to ask you to provide us with your first name and/or surname; this is optional. We store these data for the purpose of sending you the newsletter. The legal basis is Art. 6(1) point (a) GDPR.
(6) ) The newsletters include a so-called “web beacon”, i.e. a pixel-sized file which is retrieved from the server of the marketing service when the newsletter is opened. During this retrieval, mainly technical information such as information on your browser and system as well as your IP address and the time of retrieval is recorded. This information is used for the technical improvement of services using the technical data or the target groups and their reading behaviour based on the place of retrieval (which can be identified with the help of the IP address) or the access times. The statistical survey also includes verification regarding whether the newsletters are opened, when they are opened, and which links are clicked. This information can be assigned to the individual newsletter recipients for technical reasons. It is however, neither our nor the marketing service’s aim to monitor individual users. The analyses are rather intended to identify our users’ reading habits and to adjust our content accordingly or to send different content depending on the interests of our users.
(7) You may withdraw your consent given for the receipt of our newsletter at any time. A link to exercise your right to withdrawal can be found at the end of each newsletter. If the users only subscribed to the newsletter and this registration is cancelled, their personal data will be erased.
(1) We use cookie technology for our website. Cookies are small text files that are stored on your end device, as assigned accordingly by the browser that you use, which allow the entity that places the cookie (in this case, us) to then receive certain information. Cookies cannot run programs or transmit viruses to your computer. Their purpose is to make the overall web offering more user-friendly and effective.
(3) You can erase the cookies in the security settings of your browser at any time. Furthermore, you can configure your browser setting according to your requirements and can, for example, decline the acceptance of third party cookies or any cookies at all. Please note that in this case, you may not be able to use all of the functions of our website.
X. Google Analytics
(2) Google will use this information on our behalf to analyse the usage of our online services by the users, compile reports on the activities within these online services and to provide further services to us which are connected to the usage of these online services and internet usage. In this connection, pseudonymous usage profiles of users may be created.
(3) We use Google Analytics to show ads which are provided by Google web services and their partners only to those users who have shown interest in our online services or have certain characteristics (e. g. interest in certain topics or products which is determined based on visited web pages) which we transmit to Google (referred to as “remarketing” or “Google Analytics audiences”). With the help of remarketing audiences, we would also like to ensure that our ads correspond to the potential interest of the users and do not constitute an annoyance.
(4) We only use Google Analytics with enabled IP anonymisation. This means that the users’ IP address is abbreviated by Google within Member States of the European Union or in other states that are a party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the US and shortened there.
(5) The IP address which is transmitted by the user’s browser will not be combined with other data from Google. Users have the option to prevent the saving of cookies by a corresponding setting in the browser software; in addition, users can prevent the transmission of the data which is generated by the cookie and refer to the usage of the online services to Google and the processing of these data by Google by downloading and installing the browser plug-in which is available under the following link:
(6) Information of the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, fax: +353 (1) 436 1001.
(1) Based on our legitimate interests (i. e. interest in the analysis, optimisation and economical operation of our online services in accordance with Art. 6(1) point (f) GDPR), we use the marketing and remarketing services (in short “Google Marketing Services”) by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”). Google is certified according to the Privacy Shield Agreement and thus guarantees compliance with the European Data Protection Legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
(2) The Google Marketing Services allow us to display ads for and on our website in a more targeted manner to present only ads to users which potentially correspond to their interests. If e. g. ads are displayed for products in which a user has shown interest on other webpages, this is called “remarketing”. For this purpose, a Google code is executed directly by Google when our web pages and other web pages on which Google Marketing Services are active are accessed and so-called (re)marketing tags (invisible graphics or code, also referred to as “web beacons”) are embedded. With the help of these tags, an individual cookie, i.e. a small file, is saved on the user’s device (instead of cookies other comparable technologies may also be used). Cookies can be set by various domains including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. The web pages visited by the user, the content they are interested in, the offers they clicked on as well as technical information on browser and operating system, referring web sites, duration of the visit and other information regarding the usage of the online services are stored in this file. In addition, the user’s IP address is recorded. In this regard, we inform you within the scope of Google Analytics that the IP address is abbreviated in EU member states or other states in the European Economic Area and is only transmitted as a whole to a Google server in the USA and abbreviated there in exceptional cases. The IP address will not be matched with data of the user within other services provided by Google. Google may connect the above information to corresponding information from other sources. If the user subsequently visits other web pages, ads which are adjusted to their interests can be displayed.
(3) The data of the users will be processed pseudonymously within the scope of Google Marketing Services. This means that Google saves and processes e. g. not the user’s name or email address, but the relevant data based on cookies in pseudonymous user profiles. This means that from Google’s point of view, the ads are not managed and displayed for an actually identified person but for cookie owners independent of the identity of the cookie owner. This does not apply if a user has expressly allowed Google to process data without pseudonymisation. The information which Google Marketing Services has collected on the user are transmitted to Google and saved on Google servers in the USA.
(4) Google Marketing Services we use include the online advertising program “Google AdWords” and others. In case of Google AdWords, each AdWords customer receives a different “conversion cookie”. Cookies can therefore not be tracked via the websites of AdWords customers. The information which was obtained with the help of the cookie is used to create conversion statistics for AdWords customers who opted for conversion tracking. AdWords customers receive information on the total number of users who clicked on their advertisement and were referred to a page with a conversion tracking tag. They do not, however, receive any information which can be used for the personal identification of users.
(6) For further information on data use for marketing purposes by Google, please refer to the overview page: https://policies.google.com/technologies/ads; ; Google’s Privacy Notice is available under https://policies.google.com/privacy. If you would like to object to the interest-related advertising by Google Marketing Services, you can use the setting and opt-out options provided by Google, please refer to https://adssettings.google.com/authenticated.
XII. Outreach analysis with Matomo
(1) The outreach analysis with Matomo includes the collection and storage of the following data: the browser type and browser version used by you, the operating system you use, your country of origin, date and time of the server request, the number of visits, the time you spend on the website, and the external links you click on. The IP address of the users is anonymised before it is stored.
(3) Users can object to the anonymised collection of data with the programme Matomo with effect for the future at any time by clicking on the link below. In this case, a so-called opt-out cookie will be placed in your web browser, which means Matomo will no longer collect any session data. However, if the users delete their cookies, the opt-out cookie will be deleted as well, so that the users will have to reactivate it.
(4) Opt-Out Cookie.
XIII. Use of social media plug-ins
(1) We currently use the following social media plug-ins: Facebook, Google+, and Twitter. We use what is referred to as the so-called “double click solution”. This means that when you visit our website, categorically no personal data will initially be forwarded to the providers of the plug-ins. You can recognise the provider of the plug-in by the first letters of its name being marked on the box or the logo. We provide you with the possibility to communicate directly with the plug-in provider by using the button. Only when you click the highlighted box, thereby enabling it, does the plug-in provider receive the information that you have accessed the corresponding page on our website. The data stated under section 4 of this Policy will also be transmitted. By activating the plug-in, your personal data will be transferred to the respective plug-in provider and stored there (in the case of the American (USA) providers, in the USA). As the plug-in provider mainly carries out the data collection using cookies, we recommend erasing all cookies with the use of the security settings of your browser before clicking on the greyed out box.
(2) We have no influence on the collected data or the data processing procedures, nor are we aware of the full extent of the data that is collected, the purposes of the processing or the retention periods. Further, we do not have any information on the erasure of the data that is collected by the providers of the plug-ins.
(3) The plug-in provider will store the data collected about you as a user profile and use it for the purposes of advertising, market research and/or the custom configuration of their website. Data (including data of users who are not logged in) are for example evaluated in this way to provide custom advertising and to inform other users of the social network about your use of our website. You have the right to object to the creation of such user profiles; if you intend to exercise this right, you must contact the respective plug-in provider. With the plug-ins, we offer you the possibility to interact with social networks and other users so that we can improve our website and make it more interesting for you, the user. The legal basis for the use of plug-ins is Art. 6(1) point (f) GDPR.
(4) The forwarding of data takes place regardless of whether you have an account with the plug-in provider and are logged in or not. If you are logged in with the plug-in provider, the data collected by us about you will directly be assigned to your existing account with the plug-in provider. If you press the activated button and link to the page e.g., the plug-in provider will also store this information in your user account and share it publicly with your contacts. We recommend that you regularly log out after using a social network, especially before activating the button, as this will allow you to prevent the plug-in provider assigning something to your profile.
(5) Further information on the purpose and scope of data collection and processing by the plug-in provider is available in the following privacy policies of these providers. There, you will also find further information about your rights regarding this topic and your settings options for the protection of your private sphere.
Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php;
further information on data collection:
Facebook has agreed to comply with the EU-US Privacy Shield,
Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA;
Google has agreed to comply with the EU-US Privacy Shield,
Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy.
Twitter has agreed to comply with the EU-US Privacy Shield,
XIV. Embedding YouTube Videos
(1) We have embedded YouTube videos in our online offering which are stored at https://www.YouTube.com and can be played directly from our website. All such videos have been embedded in the “enhanced data protection mode”, which means that no data about you as a user will be transferred to YouTube if you do not play the videos. The data stated in paragraph 2 will only be transferred if you play the videos. We have no control over such transfer of data.
(2) When you visit the website, YouTube receives information that you have accessed the relevant sub-page of our website. The data stated under section 4 of this Policy will also be transmitted. This will take place regardless of whether YouTube provides a user account into which you are logged in or if no user account exists. If you are logged into Google, your data will be associated directly with your account. If you do not want the data to be assigned to your YouTube profile, you must log out before activating the button. YouTube will store your data as user profiles and use them for the purposes of advertising, market research and/or the needs-based configuration of its website. In particular, this evaluation takes place (including for users who are not logged in) for the provision of needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of such user profiles; if you intend to exercise this right, please contact YouTube.
Google may process your personal data in the US, and has agreed to comply with the EU-US - Privacy Shield,
XV. Rights of the users
(1) ) Users have the right to obtain information about the personal data that we process in relation to them free of charge and upon their request.
(2) In addition, users are entitled to rectification of inaccurate data, restriction of processing and erasure of their personal data, where applicable, the right to data portability and, if unlawful data processing is assumed, the right to lodge a complaint with the competent supervisory authority.
(3) Moreover, users can, with effect for the future, withdraw consents.
(4) Ansprechperson ist unser Datenschutzbeauftrager:
DID Dresdner Institut für Datenschutz | Stiftung bürgerlichen Rechts
XVI. Erasure of data
(1) The data we have saved will be erased as soon as they are no longer required for their purpose and the erasure does not conflict with any statutory retention obligations. If the data of the users are not erased, since they are required for other purposes which are permitted by law, their processing will be restricted. This means that the data will be blocked and not processed for any other purposes. This applies e. g. to data which has to be preserved due to commercial law or tax law.
(2) In accordance with legal requirements, data are stored for 6 years pursuant to section 257 clause 1 Commercial Code (e.g. commercial and business correspondence) and for 10 years pursuant to section 147 clause 1 Fiscal Code (e.g. account books and booking confirmations).
XVII. Right to Object
Users can object to the future processing of their personal data according to the legal requirements at any time. The right to object applies, in particular, to the processing for direct marketing purposes.