Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as "data") we process for what purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").

The terms used are not gender-specific.

Data Controller

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed

• Master data
• Employee data
• Contact data
• Content data
• Usage data
• Meta, communication and procedure data
• Protocol data

Categories of Data Subjects

• Employees
• Communication partners
• Users
• Third parties
• Whistleblowers

Purposes of Processing

• Communication
• Security measures
• Direct marketing
• Range measurement
• Organizational and administrative procedures
• Feedback
• Profiles with user-related information
• Provision of our online offer and user-friendliness
• Information technology infrastructure
• Whistleblower protection

Legal Basis

Applicable Legal Basis under GDPR: Below you will find an overview of the legal basis of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile.

• Consent (Art. 6 para. 1 p. 1 lit. a GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6 para. 1 p. 1 lit. c GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.

The measures include, in particular, securing the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access, input, transmission, securing availability and their separation.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL.

International Data Transfers

Data processing in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), this is always done in accordance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the EU Commission dated July 10, 2023. Additionally, we have concluded Standard Contractual Clauses with the respective providers.

Data Storage and Deletion

We delete personal data that we process in accordance with legal provisions as soon as the underlying consents are withdrawn or there are no further legal grounds for processing.

Retention and deletion of data: The following general periods apply for retention and archiving under German law:

• 10 years - Books and records, annual financial statements, inventories, management reports, opening balance sheets
• 8 years - Booking documents, such as invoices and cost documents
• 6 years - Other business documents
• 3 years - Data required to consider potential warranty and damages claims

Rights of Data Subjects

As a data subject under the GDPR, you have various rights, particularly arising from Art. 15 to 21 GDPR:

• Right to object: You have the right to object at any time to processing of your personal data for reasons arising from your particular situation.
• Right of withdrawal: You have the right to withdraw given consents at any time.
• Right of access: You have the right to obtain confirmation as to whether personal data concerning you are being processed.
• Right to rectification: You have the right to obtain rectification of inaccurate personal data concerning you.
• Right to erasure and restriction: You have the right to obtain erasure of personal data concerning you or restriction of processing.
• Right to data portability: You have the right to receive personal data concerning you in a structured, commonly used format.
• Complaint to supervisory authority: You have the right to lodge a complaint with a supervisory authority.

Provision of Online Offer and Web Hosting

We process user data to provide our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

Collection of access data and log files: Access to our online offer is logged in the form of "server log files". Server log files may include the address and name of retrieved web pages and files, date and time of retrieval, transferred data volumes, notification of successful retrieval, browser type and version, user's operating system, referrer URL, and IP addresses.

Use of Cookies

The term "cookies" refers to functions that store and read information on users' devices. Cookies can be used for various purposes, such as functionality, security, and comfort of online offers, as well as creating analyses of visitor flows.

Storage duration: With regard to storage duration, the following types of cookies are distinguished:

• Temporary cookies (session cookies): Deleted when the user leaves the online offer and closes their device.
• Permanent cookies: Remain stored even after closing the device, with storage duration up to two years.

Contact and Inquiry Management

When contacting us (e.g., via contact form, email, telephone, or social media), the information provided by the inquiring persons is processed to the extent necessary to respond to contact inquiries and any requested measures.

Web Analytics, Monitoring and Optimization

Web analytics serves to evaluate visitor flows to our online offer and may include behavior, interests, or demographic information about visitors as pseudonymous values. With the help of range analysis, we can recognize when our online offer is most frequently used.

Google Analytics: We use Google Analytics to measure and analyze the use of our online offer based on a pseudonymous user identification number. Google Analytics does not log and store individual IP addresses for EU users.

Plugins and Embedded Functions and Content

We integrate functional and content elements into our online offer that are obtained from the servers of their respective providers. This may include graphics, videos, or maps.

Google Fonts: We use Google Fonts for technically secure, maintenance-free, and efficient use of fonts. The provider of the fonts is informed of the user's IP address so that the fonts can be made available in the user's browser.

Changes and Updates

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes to the data processing we carry out make this necessary.