Introduction

The following privacy statement is intended to clarify which types of personal data (hereinafter also referred to as “data”) we process for what purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the framework of the provision of our services and in particular on our websites, mobile applications, and on social media (collectively referred to as the “website”).

The terms used are not gender specific.

Last updated: March 1, 2021

Table of contents

• Introduction

• Data controller

• Overview of data processing

• Data protection officer

• Applicable legal bases

• Security measures

• Transmission and disclosure of personal data

• Data processing in third countries

• Use of cookies

• Commercial and business services

• Payment service providers

• Provision of online services and web hosting

• Contact

• Newsletters and electronic notifications

• Web analytics, monitoring, and optimization

• Online marketing

• Social media

• Plug-ins and embedded features and content

• Deletion of data

• Changes and updates to this privacy policy

• Rights of data subjects

• Definitions of terms

Data controller

Expressis verbis Schmuck GmbH, Managing Director: Martina Hirtz
Im Hasenfeld 34
54550 Daun
Germany

Authorized representatives: Martina Hirtz

Email address: info@expressisverbis.online

Phone: +49 6592 6330815

Site Notice

Data protection officer

See above

Overview of data processing

This table summarizes the types of data processed and the purposes for which it is processed and how it relates to data subjects.

Types of data processed

• Basic personal data (e.g. names, addresses).

• Content data (e.g. input into online forms).

• Contact data (e.g., email address, phone numbers).

• Meta/communication data (e.g. device information, IP addresses).

• Usage data (e.g. websites visited, interest in content, access times).

• Location data (information on the geographical position of a device or a person).

• Contract data (e.g. subject matter of the contract, term, customer category).

• Payment data (e.g. bank details, invoices, payment history).

Categories of data subjects

• Business and contractual partners.

• Prospects.

• Communication partners.

• Customers.

• Users (e.g. website visitors, users of online services).

Purposes of processing

• Assessment of creditworthiness

• Providing online services and user-friendliness.

• Conversion tracking.

• Office and organizational procedures.

• Cross-device tracking (cross-device processing of user data for marketing purposes).

• Direct marketing (e.g. by email or post).

• Interest-based and behavior-based marketing.

• Contact requests and communication.

• Conversion measurement (measurement of the effectiveness of marketing measures).

• Profiling (creation of user profiles).

• Remarketing.

• Reach measurement (access statistics, recognition of recurring visitors).

• Security measures.

• Tracking (e.g. interest-/behavior-related profiling, use of cookies).

• Provision of contractual services and customer service.

• Managing and responding to requests.

• Target group formation (determination of target groups relevant for marketing purposes or other output of content).

Automated decisions in individual cases

• Credit information (decision based on a credit check).

Applicable legal bases

Below we provide the legal bases of the General Data Protection Regulation (GDPR) on which we process the personal data. Please note that, in addition to the rules of the GDPR, the national data protection rules may apply in your or our country of residence. Furthermore, if more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6 para. 1 clause 1 lit. a. GDPR) – The data subject has given their consent to the processing of their personal data for a specific purpose or for several specific purposes.

• Contract performance and pre-contractual requests (Art. 6 para. 1 clause 1 lit. b. GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures that are carried out at the request of the data subject.

• Legal obligation (Art. 6 para. 1 clause 1 lit. c. GDPR) – The processing is necessary to fulfill a legal obligation to which the data controller is subject.

• Legitimate interests (Art. 6 para. 1 clause 1 lit. f. GDPR) – Processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, outweigh this.

Security measures

We take appropriate technical and organizational measures, taking into account the state of the art, the cost of implementation and the nature, extent, circumstances and purposes of the processing, the different probabilities of entry and the extent of the threat to the rights and freedoms of natural persons, in accordance with the legal requirements, to ensure a level of protection commensurate with the risk.

Measures shall include, in particular, ensuring the confidentiality, integrity and availability of data through monitoring physical and electronic access to the data, as well as access to the data relating to them, input, transfer, securing availability and separation. We have also put in place procedures to ensure the exercising of rights of data subjects, the erasure of data and the response to data threats. In addition, we take the protection of personal data into account as early as the development or selection of hardware, software and procedures, in accordance with the principle of data protection through technology design and data protection-friendly defaults.

SSL encryption (https): We use SSL encryption to protect your data transmitted via our online services. You can recognize encrypted connections by the prefix “https://” in the page link in the address line of your browser.

Transmission and disclosure of personal data

As part of our processing of personal data, the data are transferred to or disclosed to other entities, undertakings, legally independent organizational units or persons. Recipients of this data may include payment institutions in connection with payment transactions, service providers entrusted with IT tasks or service and content providers included in a website. In such a case, we observe the legal requirements and in particular conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

Data processing in third countries

If we process data either in a third country (i.e., a country outside the European Union (EU), the European Economic Area (EEA)) or in the context of using third-party services, or disclose or transmit data to other persons, offices or companies, this shall be carried out only in accordance with the legal requirements.

Subject to express consent or contractually or legally required transmission, we process or have the data processed only in third countries with a recognized level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, if certifications or binding internal data protection regulations are available (Art. 44 to 49 GDPR; Information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de ).

Use of cookies

Cookies are text files that contain data from websites or domains visited and are stored on the user’s computer by a browser. A cookie is primarily used to store information about a user during or after their visit to a website. Such information may include language settings on a web page, login status, a basket of goods, or the location where a video was viewed. The term cookies also includes other technologies that perform the same functions as cookies (e.g. if user information is stored using pseudonym online identifiers, also known as “user IDs”).

A distinction is made between the following types of cookies and functions:

• Temporary cookies (also called session cookies):Temporary cookies are deleted at the latest after a user has left a website and closed their browser.

• Persistent cookies: These cookies are saved even after the browser has been closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. The interests of users used for reach measurement or for marketing purposes can also be stored in such a cookie.

• First-party cookies: We set first-party cookies ourselves.

• Third-party cookies: Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.

• Necessary (also essential or absolutely necessary) cookies: Cookies can be absolutely necessary for operating a website (e.g. to save logins or other user input data or for security reasons).

• Statistics, marketing and personalization cookies: Furthermore, cookies are usually also used in the context of reach measurement and when the interests of a user or their behavior on individual websites (e.g. viewing certain content, using functions, etc.) are stored in a user profile. Such profiles are used to provide users with information, such as content that is appropriate to their potential interests. This is also referred to as “tracking”, i.e., tracking of the potential interests of users. Insofar as we use cookies or “tracking” technologies, we will inform you separately of these in our privacy policy or within the context of obtaining consent.

Legal information: The legal basis for processing your personal data using cookies depends on whether we ask you to give your consent. If this is so, and you agree to use cookies, the legal basis for processing your data is the declared consent. Otherwise, the data processed using cookies will be processed on the basis of our legitimate interests (e.g. in a business operation of our website and its improvement) or if the use of cookies is necessary to fulfil our contractual obligations.

Storage duration: If we do not provide you with explicit information on the storage duration of permanent cookies (e.g.within the context of a so-called cookie opt-in), you can assume that they will be stored for up to two years.

General information on revocation and objection (opt-out):Depending on whether the processing is based on consent or legal permission, you have the option, at any time, to revoke your consent or to object to the processing of your data by means of cookie technologies (collectively referred to as “opt-out”). You may declare your objection by using your browser settings, such as disabling cookies (which can also limit the functionality of our online services). An objection to the use of cookies for online marketing purposes can also be declared using a variety of services, especially in the case of tracking, via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/ become. In addition, you can receive further objection notices within the context of the information on the service providers and cookies used.

The processing of cookie data on the basis of consent: Before processing data in the context of the use of cookies, we ask the users to give their consent, which can be revoked at any time. Before consent has been given, cookies are used which are absolutely necessary for the operation of our website.

Cookie settings/option to object:

• Types of data processed data usage data (visited web pages, content interest, access times), meta/communication data (device information, IP addresses).

• Data subjects: Users (e.g. website visitors, users of online services).

• Legal bases: Consent (Art. 6 para. 1 clause 1 lit. a GDPR), legitimate interests (Article 6 para. 1 clause. 1 lit. f. GDPR).

Commercial and business services

We process data from our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contractual partners”) within the context of contractual and comparable legal circumstances as well as related measures and within the context of communication with the contractual partners (or pre-contractual), e.g. to deal with inquiries.

We process this data to fulfill our contractual obligations, to secure our rights and for the purposes of the administrative tasks associated with this information as well as business organization. We only pass on the contractual partner data to third parties within the framework of applicable law to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations or with the consent of the data subject (e.g. to telecommunications, transport and other support services involved as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). The contractual partners will be informed within the scope of this privacy policy about other forms of processing, e.g. for marketing purposes.

We inform the contractual partners which data is required for the aforementioned purposes before or as part of the collection of data, e.g. through online forms, by means of special labelling (e.g. colors) or symbols (e.g. asterisks or similar), or personally.

We will delete this data after statutory warranty and comparable obligations have expired, i.e., in principle after 4 years, unless the data is stored in a customer account, e.g., as long as it must be gumbo retained for legal reasons (e.g., for tax purposes, usually 10 years). Data disclosed to us within the scope of an order by the contractual partner is deleted by us in accordance with the specifications of the order, in principleonce the order is completed.

If we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply in the relationship between users and providers.

Customer account: Contractual partners can create an account on our website (“customer account”). If the registration of a customer account is required, contractual partners will be informed of this as well as the information required for registration. Customer accounts are not public and cannot be indexed by search engines. As part of the registration and subsequent registrations and uses of the customer account, we will save the IP addresses of the customers along with the access details in order to be able to prove the registration and prevent any misuse of the customer account.

If customers have terminated their customer account, the data relating to the customer account will be deleted, subject to any statutory retention requirements. It is the customer’s responsibility to secure their data if the customer account is terminated.

Business analytics and market research: For business reasons and in order to be able to recognize market trends, contractual partner and user wishes, we analyze the data related to business transactions, contracts, inquiries, etc. available to us, whereby contractual partners, interested parties, customers, and users may fall into the group of data subjects.

The analyses are carried out for the purpose of business analytics, marketing, and market research (e.g. to determine customer groups with different characteristics). In doing so, we can take into account the profiles of registered users including details of any services used, if available. The analytics are solely for our purposes and are not disclosed externally unless they are anonymous analyses with summarized, i.e., anonymized values. We also take the privacy of users into account and process the data for analytics purposes pseudonymously and, if possible, anonymously (e.g. as summarized data).

Shop and e-commerce: We process the data of our customers in order to enable them to select, purchase or order the selected products, goods and related services, as well as their payment and delivery or execution. If necessary for the execution of an order, we use service providers, in particular postal, forwarding and shipping companies, to carry out the delivery or execution for our customers. We use the services of banks and payment service providers to process payment transactions. The information required is marked as such within the context of concluding the order and includes the information required for delivery and invoicing as well as contact information in order to be able to hold consultations.

• Types of data processed: Basic personal data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact details (e.g. email, telephone numbers), contract data (e.g. subject of the contract, term, customer category), usage data (e.g. websites visited, interest in content , Access times), meta/communication data (e.g. device information, IP addresses).

• Data subjects: Interested parties, business and contractual partners, customers.

• Purposes of processing: Provision of contractual services and customer service, contact inquiries and communication, office and organizational procedures, administration and answering of inquiries, security measures, evaluation of visits, interest-based and behavior-related marketing, profiling (creation of user profiles).

• Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 clause 1 lit. b GDPR), legal obligation (Art. 6 para. 1 clause 1 lit. c GDPR), legitimate interests (Article 6 para. 1 clause. 1 lit. f. GDPR).

Payment service providers

In the context of contractual and other legal relationships, due to legal obligations or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and use other third-party payment service providers in addition to banks and credit institutions (collectively “payment service providers”).

The data processed by the payment service providers includes basic personal data such as name and address, bank data such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract details, purchase totals, and recipient information. This information is required to fulfill orders placed. However, the data entered will only be processed and stored by the payment service providers. This means that we do not receive any account or credit card related information, but only information regarding payment confirmation or failure. The data may be transferred by the payment service providers to credit agencies. The purpose of this transmission is to verify identity and creditworthiness. For this we refer to the terms and conditions and data protection information of the respective payment service provider.

For payment transactions, the terms and conditions and the data protection policy of the respective payment service provider apply. These can be accessed within their respective websites or transaction applications. We refer to these also for the purpose of further information and assertion of rights of revocation, information and other interested parties.

• Types of data processed: Basic personal data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contract data (e.g. subject of the contract, term, customer category), usage data (e.g. websites visited, interest in content , Access times), meta/communication data (e.g. device information, IP addresses).

• Data subjects: Customers, prospects.

• Purposes of processing: Provision of contractual services and customer service.

• Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 clause 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 clause. 1 lit. f. GDPR).

Services and service providers used:

• PayPal: Payment services and solutions (e.g. PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Website: https://www.paypal.com/de; Privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

• Stripe: Payment services and solutions; Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Website: https://stripe.com/de; Privacy policy: https://stripe.com/de/privacy;

Credit checks

If we provide our services before receiving payment or take on other economic risks (e.g. when allowing customers to purchase on account), we reserve the right to obtain information from specialized service providers (credit agencies) on the customer’s identity and creditworthiness for the purpose of assessing credit risk on the basis of mathematical-statistical procedures in order to safeguard our legitimate interests.

We process the information received from credit agencies on the statistical probability of non-payment within the framework of taking an appropriate discretionary decision on the establishment, execution and termination of the contractual relationship. We reserve the right to refuse orders on account in the event of a negative result of the credit assessment.

The decision as to whether to provide our service before receiving payment is an automated decision made in accordance with Art. 22 GDPR solely on a case-by-case basis performed by our software on the basis of information from the credit agency.

If we obtain the customer’s express consent, the legal basis for the credit check and transmission of the customer’s data to the credit inquiry agencies is said consent. If no consent is obtained, the credit check is based on our legitimate interests in securing our payment claims against default.

• Types of data processed: Basic personal data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact details (e.g. email, telephone numbers), contract data (e.g. subject of the contract, term, customer category).

• Data subjects: Customers, prospects.

• Purposes of processing: Assessment of creditworthiness.

• Legal bases: Consent (Art. 6 para. 1 clause 1 lit. a GDPR), legitimate interests (Article 6 para. 1 clause. 1 lit. f. GDPR).

• Automated decisions in individual cases: credit information (decision based on a credit check).

Services and service providers used:

• Verband der Vereine Creditreform e.V.: Credit reporting agency; Service provider: Verband der Vereine Creditreform e.V., Hellersbergstraße 12, D-41460 Neuss, Germany; Website: https://www.creditreform.de/; Privacy policy: https://www.creditreform.de/datenschutz.

Provision of online services and web hosting

In order to provide our online presence safely and efficiently, we use one or more hosting providers who provide or manage the servers from which users access our website or app. For these purposes, we use their infrastructure and platform services, computing capacity, storage and database services, as well as guarantees and technical maintenance.

The data processed by our hosting providers may include any user information provided during use of the online presence or in communication. This regularly includes the IP address, which is necessary in order to be able to deliver the content of websites to browsers, and all entries made within the framework of our website or app.

Email delivery and hosting: Our hosting provider also provides us with the service that sends, receives, and stores our emails. For these purposes, the addresses of the recipients and senders are processed, as is other information concerning the email (e.g. the providers involved) and the content of each email. The above data may also be processed for the purpose of detecting spam. Please note that emails are not encrypted online. Typically, while emails are encrypted during transport, they are not encrypted on the servers from which they are sent and received (unless the end-to-end encryption method is used). We cannot therefore take responsibility for the transmission of emails between the sender and their being received by our server.

Collection of access data and log files: We (or our web hosting provider) collect data on every access to the server (so-called server log files). The server log files may include the address and name of the websites and files accessed, the date and time of the access, the amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and usually IP addresses and the enquiring provider.

The server log files can be used, on the one hand, for security purposes, e.g. to avoid overloading the server (especially in the case of misuse attacks, so-called DDoS attacks) and, on the other hand, to prevent the servers from overloading and destabilizing.

• Types of data processed data: content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta / communication data (e.g. device information, IP addresses).

• Data subjects: Users (e.g. website visitors, users of online services).

• Legal bases: Legitimate interests (Art. 6 para. 1 clause. 1 lit. f. GDPR).

Contact

When contacting us (e.g. via contact form, email, telephone or social media), the information provided by the requesting persons is processed, if necessary to respond to the contact enquiries and any measures requested.

Responses to contact inquiries within the context of contractual or pre-contractual relations shall be given either in order to fulfil our contractual obligations or for the purpose of answering (pre)contractual inquiries and also on the basis of the legitimate interests in answering the inquiries.

• Types of data processed: Basic personal data (e.g. names, addresses), contact details (e.g. email, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content , Access times), meta/communication data (e.g. device information, IP addresses).

• Data subjects: Communication partners, prospects.

• Purposes of processing: Contact inquiries and communication, administration and answering of inquiries.

• Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 clause 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 clause. 1 lit. f. GDPR).

Web analytics, monitoring, and optimization

Web analytics (also referred to as “reach measurement”) are used to evaluate the flow of visitors to our website and can include pseudonymized information about the behavior, interests, or demographics of site visitors, such as age or gender. With the help of reach analytics, we can, for example, recognize when our online presence or its features or content are being used most often or invite users to return visits. It also allows us to understand which areas are in need of optimization.

In addition to web analytics, we can also use test procedures, for example, to test and optimize different versions of our website or its components.

For these purposes, so-called user profiles can be created and stored in cookies or behavior similar processes that can be used for the same purpose. This information can include, for example, content viewed, pages visited, and elements and technical information used there, such as the browser used, the computer system used, as well as information on usage times. Insofar as users have consented to the collection of their location data, this, too, can also be processed, depending on the provider.

The IP addresses of the users are also saved. However, we use an IP masking process (i.e., pseudonymization by truncating the IP address) to protect users. In general, in the context of web analytics, A/B testing, and optimization, no clearly identifiable user data (such as email addresses or names) will be saved. It will instead be pseudonymized. This means that we and the providers of the software used do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

Information on legal bases: If we ask the users for their consent to the use of third party providers, the legal basis of the processing of data is that consent. Otherwise, user data will be processed on the basis of our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this Privacy Policy.

• Types of data processed data usage data (visited web pages, content interest, access times), meta/communication data (device information, IP addresses).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors), tracking (e.g. interest/behavior-related profiling, use of cookies), visitor activity evaluation, profiling (creation of user profiles).

• Security measures: IP masking (pseudonymization of the IP address).

• Legal bases: Consent (Art. 6 para. 1 clause 1 lit. a GDPR), legitimate interests (Article 6 para. 1 clause. 1 lit. f. GDPR).

Services and service providers used:

• Google Analytics This website uses Google Analytics, a web analytics service. This is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S.A.

• etracker: web analytics/reach measurement; Service provider: etracker GmbH, Erste Brunnenstraße 1 20459 Hamburg, Germany; Website: https://www.etracker.com; Privacy policy: https://www.etracker.com/datenschutz/; Opt-out : https://www.etracker.de/privacy?et=[BITTE-EINSETZEN-IHRE-Account-ID].

• Matomo (without cookies): Matomo is a data protection-friendly web analytics software that operates without cookies and recognizes returning users with the help of a so-called “digital fingerprint”, which is stored anonymously and changed every 24 hours. The “digital fingerprint” tracks user movements within our website with the help of pseudonymized IP addresses in combination with user-side browser settings in such a way that it is not possible to draw conclusions about the identity of individual users; Service provider: web analytics/reach measurement in self-hosting; Website: https://matomo.org/.

 

Online marketing

We process personal data for online marketing purposes, which can include, in particular, the marketing of advertising space or the presentation of advertising and other content (collectively referred to as “content”) based on the potential interests of users and the measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (so-called “cookies”) or similar processes are used, by means of which user information relevant to the presentation of the aforementioned content is saved. This information can include, for example, content viewed, pages visited, online networks used, but also communication partners and technical information such as the browser used, the computer system used and information on usage times. Insofar as users have consented to the collection of their location data, this can also be processed.

The IP addresses of the users are also saved. However, we use available IP masking processes (i.e., pseudonymization by truncating the IP address) to protect users. In general, no clearly identifiable user data (such as email addresses or names) is stored while collecting data for online marketing, instead only pseudonyms. This means that we and the providers of online marketing processes do not know the actual identity of the users, but only the information stored in their profiles.

The information in the profiles is usually stored in the cookies or by means of similar processes. These cookies can later generally also be accessed by other websites that use the same online marketing process, analyzed for displaying content, as well as supplemented with additional data and stored on the online marketing process provider’s server.

As an exception, plain data can be assigned to the profiles. This occurs if users are, for example, members of a social network whose online marketing process we use and the network connects the users’ profiles with the aforementioned information. We ask you to note that users may be asked to make additional agreements with social media providers, e.g.by giving their consent when they sign up.

In principle, we only have access to summarized information about the success of our advertisements. However, within the scope of so-called conversion tracking, we can check which of our online marketing processes have led to a so-called conversion, i.e., for example, to a contract with us. Conversion tracking is used solely to analyze the success of our marketing measures.

Unless otherwise stated, we ask you to assume that the cookies used will be stored for a period of two years.

Information on legal bases: If we ask the users for their consent to the use of third party providers, the legal basis of the processing of data is that consent. Otherwise, user data will be processed on the basis of our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this Privacy Policy.

Facebook Pixels: With the help of Facebook Pixel, Facebook is able to determine the visitors of our website as a target group for the presentation of advertisements (so-called “Facebook Ads”). Accordingly, we use Facebook pixels to display our Facebook ads placed by us only to those users on Facebook and within the services of the partners cooperating with Facebook (so-called “Audience Network” https://www.facebook.com/audiencenetwork who have also shown an interest in our website or who have certain characteristics (e.g. interest in certain topics or products that can be seen from the websites visited) that we transmit to Facebook (so-called “Custom Audiences”). With the help of the Facebook pixel, we want to make sure that our Facebook ads correspond to the potential interest of the users and are not annoying. The Facebook pixel also helps us understand the effectiveness of Facebook ads for statistical and marketing research purposes by showing and evaluating whether users are directed to our website after they have clicked a Facebook ad (so-called “conversion tracking”).

• Types of data processed: usage data (visited web pages, content interest, access times), meta/communication data (device information, IP addresses), location data (information on the geographical position of a device or a person).

• Data subjects: Users (e.g. website visitors, users of online services), prospects.

• Purposes of processing: Tracking (e.g. interest/behavior-related profiling, use of cookies), remarketing, visitor action evaluation, interest-based and behavior-related marketing, profiling (creation of user profiles), conversion tracking (measuring the effectiveness of marketing measures), reach measurement (e.g. access statistics, recognizing returning visitors), forming target group (determination of target groups relevant for marketing purposes or other output of content), cross-device tracking (cross-device processing of user data for marketing purposes).

• Security measures: IP masking (pseudonymization of the IP address).

• Legal bases: Consent (Art. 6 para. 1 clause 1 lit. a GDPR), legitimate interests (Article 6 para. 1 clause. 1 lit. f. GDPR).

• Opt-out: We refer to the Privacy Policy of the respective provider and the options for opting out they provide. Unless an explicit opt-out option has been specified, you can also switch off cookies in your browser settings. However, this can restrict the features of our website. We therefore also recommend the following opt-out options, which cover many different services for the respective regions: a) Europe

: https://www.youronlinechoices.eu.b) Canada:

https://www.youradchoices.ca/choices .c) USA :https://www.aboutads.info/choices.d

) Cross-regional: https://optout.aboutads.info.

Services and service providers used:

• Google Tag Manager: Google Tag Manager is a solution with which we manage so-called website tags via an interface and thus integrate other services into our website. The Tag Manager itself (which implements the tags) does not process any personal user data. With regard to the processing of personal user data, we refer to the following information on Google services. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy.

• Google Analytics: online marketing and web analytics; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy policy: https://policies.google.com/privacy. Opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for displaying advertisements: https://adssettings.google.com/authenticated.

• Google Ads and conversion measurement: We use the online marketing process “Google Ads” to place advertisements in the Google advertising network (e.g. in search results, in videos, on websites, etc.) so that they are displayed to users whose profiles suggest they may be interested in seeing our advertisements. We also measure ad conversion. However, we only see the total number of anonymous users who clicked on our ad and were redirected to a page with a conversion tracking tag. We do not obtain any information that can be used to identify users personally. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy.

• Google Ad Manager: We use the “Google Marketing Platform” (and services such as “Google Ad Manager”) to place advertisements in the Google advertising network (e.g., in search results, in videos, on websites, etc.). The Google Marketing Platform is characterized by the fact that advertisements are displayed in real time based on the presumed interests of users. This allows us to display ads for and within our website in a more targeted manner so as to only display ads which might correspond to users’ interests. For example, if a user is shown ads for products which they have shown interest in on other websites, this is referred to as “remarketing.” Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy.

• Facebook pixels: Service provider: https://www.facebook.com, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland; Parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA ;Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Opt-out: https://www.facebook.com/settings?tab=ads.

 

Social media

We maintain an online presence within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

We would like to point out that this might lead to user data being processed outside the European Union, which can pose risks for users because this might hinder the enforcement of users’ rights, for example.

User data is also generally processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and assumptions on user interests. The usage profiles can in turn be used, for example, to display advertisements which presumably correspond to the interests of the users both within and outside of the platforms. For these purposes, cookies are usually stored on the user’s computer, in which the user’s usage behavior and interests are stored. Furthermore, data can also be stored in user profiles separate from the devices used by the users (especially if the users are members of the respective platforms and are logged in).

For a detailed description of the respective forms of processing and the options for objection (opt-out), we refer you to the privacy policies and information of the respective network operators.

We would like to point out that requests for information and the assertion of user rights are also directed most effectively to the providers. Only the providers have access to the user data and can take appropriate measures and provide information directly. Should you still require assistance, you can contact us.

• Types of data processed: Basic personal data (e.g. names, addresses), contact details (e.g. email, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content , Access times), meta/communication data (e.g. device information, IP addresses).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: Contact inquiries and communication, tracking (interest/behavior-related profiling, cookies), remarketing, range measurement (access statistics, recognition of returning visitors).

• Legal bases: Legitimate interests (Art. 6 para. 1 clause. 1 lit. f. GDPR).

Services and service providers used:

• Instagram: social network; Service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Website: https://www.instagram.com;Privacypolicy: https://instagram.com/about/legal/privacy.

• Facebook: social network; Service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland; Parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Opt out:Settings for advertisements: https://www.facebook.com/settings?tab=ads; Additional information on data protection: Agreement on joint processing of personal data on Facebook pages: https://www.facebook.com/legal/terms/page_controller_addendum, data protection information for Facebook pages: https://www.facebook.com/legal/ terms / information_about_page_insights_data.

• LinkedIn: social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

• Twitter: social network; Service provider: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Privacy policy: https://twitter.com/de/privacy, (Settings) https://twitter.com/personalization.

• YouTube: social network; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA; Privacy policy: https://policies.google.com/privacy; Opt-out: https://adssettings.google.com/authenticated.

• Xing: social network; Service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; Website: https://www.xing.de; Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.

Plug-ins and embedded features and content

Our website includes functional and content elements obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may, for example, be graphics, videos or social media buttons as well as posts (hereinafter uniformly referred to as “content”).

The integration always presupposes that the third-party providers of this content process the IP address of the user, since they could not send the content to their browser without the IP address. The IP address is therefore required for the presentation of these contents or features. We strive to only use content whose respective provider uses the IP address solely for the delivery of content. Third parties may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. “Pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain technical information about the browser and operating system, websites to be referred to, visiting times and other information about the use of our online services, as well as may be linked to such information from other sources.

Information on legal bases: If we ask the users for their consent to the use of third party providers, the legal basis of the processing of data is that consent. Otherwise, user data will be processed on the basis of our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this Privacy Policy.

• Types of data processed: usage data (visited web pages, content interest, access times), meta/communication data (device information, IP addresses), location data (information on the geographical position of a device or a person), content data (e.g. entries in online forms ), Inventory data (e.g. names, addresses), contact details (e.g. e-mail, telephone numbers).

• Data subjects: Users (e.g. website visitors, users of online services), communication partners

• Purposes of processing: provision of our online services and user-friendliness, contractual services and support, contact inquiries and communication, tracking (interest-/behavior-based profiling, cookies), interest- and behavior-based marketing, profiling (creation of user profiles), security measures, administration and response to inquiries.

• Legal bases: Legitimate interests (Art. 6 para. 1 clause 1 lit .f. GDPR), consent (Art. 6 para. 1 clause 1 lit. a GDPR), contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 clause 1 lit. b. GDOR).

Services and service providers used:

• Facebook plugins and content: Facebook social plugins and content – This may include, for example, content such as images, videos or texts and buttons with which users can share content from this website to Facebook. The list and the appearance of the Facebook social plugins can be viewed here: https://developers.facebook.com/docs/plugins/; Service provider: https://www.facebook.com, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland; Parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Opt-out: Settings for advertisements: https://www.facebook.com/settings?tab=ads.

• Google Fonts: We integrate fonts (“Google Fonts”) from the provider Google, whereby user data is solely used for the purpose of displaying the fonts in the user’s browser. Integration takes place on the basis of our legitimate interests in technically secure, maintenance-free and efficient use of fonts and their uniform representation as well as consideration of possible licensing restrictions for their integration. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA; Website: https://fonts.google.com; Privacy policy: https://policies.google.com/privacy.

• Google Maps: We integrate the maps from the “Google Maps” service provided by Google. The data processed may include, in particular, users’ IP addresses and location data, which, however, is not collected without their consent (usually within the framework of the settings of their mobile devices); Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA; Website: https://cloud.google.com/maps-platform; Privacy policy: https://policies.google.com/privacy; Opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for displaying advertisements: https://adssettings.google.com/authenticated.

• ReCaptcha: We incorporate the “ReCaptcha” feature to detect bots, for example, when entering data in online forms. The behavior data of the users (e.g. mouse movements or queries) is evaluated in order to distinguish human input from that of bots. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA; Website: https://www.google.com/recaptcha/; Privacy policy: https://policies.google.com/privacy. Opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for displaying advertisements: https://adssettings.google.com/authenticated.

• Twitter plugins and buttons: This may include content such as images, videos or text and buttons with which users can share content from this website to Twitter. Service Provider: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Website: https://twitter.com/de; Privacy Policy: https://twitter.com/de/privacy.

• YouTube videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA; Website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy. Opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for displaying advertisements: https://adssettings.google.com/authenticated.

Deletion of data

The data we process will be deleted in accordance with the statutory provisions as soon as the consent permitted for processing is revoked or other permissions lapse (e.g. if the purpose of processing this data has lapsed or it is not necessary for the purpose).

If the data is not deleted because it is required for other, legally permissible purposes, its processing will be limited to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, todata that must be stored for commercial or tax reasons or whose storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.

Further information on the deletion of personal data can also be found in the individual data protection notices of this Privacy Policy.

Changes and updates to this privacy policy

We ask you to inform yourself regularly about the content of our Privacy Policy. We will adapt it as soon as changes in the data processing we perform make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

If we have provided addresses and contact information of companies and organizations in this Privacy Policy, please note that the addresses may change over time, and so we ask you to check this information before contacting us.

Rights of data subjects

As a data subject, you have various rights under GDPR, as stipulated in particular in Articles 15 to 21:

• You have the right, for reasons arising from your specific situation, to object to the processing of personal data concerning you at any time, which is carried out in accordance with Art. 6 para. 1 lit. e or f GDPR; the same applies to profiling based on these provisions. If the personal data that concerns you is being processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data that concerns you for the purpose of such marketing; this also applies to profiling, insofar as it is associated with such direct marketing.

• Right to revoke consent: You have the right to revoke your consents at any time.

• Right to information: You have the right to request confirmation as to whether the data in question is being processed and information about this data as well as further information and a copy of said data in accordance with legal requirements.

• Right to correct: You have the right, in accordance with the provisions of the law, to request the completion or correction of your data if incomplete or inaccurate.

• Right to delete data or restrict its processing: You have the right, in accordance with the statutory provisions, to demand that data concerning you be deleted immediately or, alternatively, to demand its processing be restricted in accordance with the statutory provisions.

• Right to data transfer: You have the right to receive the data you have provided to us in a structured, common and machine-readable format in accordance with the legal requirements or to demand that it be transferred to another controller.

• Complaint to the supervisory authority: You also have the right, in accordance with the statutory provisions, to complain to a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place where the alleged infringement was committed, if you are of the opinion that the processing of your personal data violates the GDPR.

Definitions of terms

This section gives you an overview of the terms used in this Privacy Policy. Many of the terms are taken from legislation and are primarily defined in Art. 4 GDPR. The legal definitions are binding. The following explanations, on the other hand, are intended primarily for a better understanding. The terms are sorted alphabetically.

• Conversion tracking: Conversion tracking describes a procedure with which the effectiveness of marketing measures can be determined. For this purpose, a cookie is usually stored on the users’ devices within the website where the marketing measures are being carried out and then retrieved again on another website. For example, we can see whether the advertisements we placed on other websites presentations were successful.

• Credit check: Automated decisions are based on automatic data processing without human intervention (e.g. in the case of an automatic rejection of a purchase on account, an online loan application or an online application process without any human intervention. According to Art. 22 GDPR, such automated decisions are only permissible with the data subject’s consent, if necessary for the performance of a contract, or if national laws allow these decisions.

• Cross-device tracking: Cross-device tracking is a form of tracking in which user behavior and interest information is recorded across devices in so-called profiles by assigning an online identifier to the users. As a result, the user information can usually be analyzed for marketing purposes regardless of the browser or device used (e.g. mobile phones or desktop computers). With most providers, the online identification is not linked to clearly identifiable data such as names, postal addresses, or email addresses.

• IP masking: “IP masking” is a method in which the last two digits of an IP address is deleted so that the IP address can no longer be used to uniquely identify a person. Therefore, IP masking is a means of pseudonymizing data processing, especially in online marketing.

• Interest- and behavior-based marketing: One speaks of interest- and/or behavior-based marketing when the potential interests of users in advertisements and other content are predetermined as precisely as possible. This is done on the basis of information about their previous behavior (e.g. visiting certain websites and how much they spend on them, buying behaviors, or interaction with other users), which are stored in a so-called profile. Cookies are usually used for these purposes.

• Conversion tracking: Conversion tracking is a procedure with which the effectiveness of marketing measures can be determined. For this purpose, a cookie is usually stored on the users’ devices within the website where the marketing measures are being carried out and then retrieved again on another website. For example, we can see whether the advertisements we placed on other websites presentations were successful.

• Personal data: Personal data refers to all information relating to an identified or identifiable natural person (hereinafter “data subject”); a natural person is regarded as identifiable, if he/she can be directly or indirectly identified, especially by means of association with an identifier such as a name, with an identification number, with location data, with an online ID (e.g. cookies) or with one or several special features reflecting the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person;

• Profiling: Profiling refers to any type of automated processing of personal data that includes using these personal data to analyze, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this includes information relating to age, gender, location data and movement data, interaction with websites and their content, shopping behavior, social interactions with other people) (e.g. interests in certain content or products, clicking behavior on a website or their location). Cookies and web beacons are often used for profiling purposes.

• Reach measurement: Reach measurement (also referred to as web analytics) is used to evaluate the flow of visitors to a website and can include the behavior or interests of visitors in certain information, such as the site’s content. With the help of the reach analysis, website owners can see, for example, at what time visitors visit their website and what content they are interested in. This enables them to better adapt the content of the website to the needs of their visitors. For reach analytics, pseudonymous cookies and web beacons are often used to recognize returning users and thus receive more precise analyses of how the site is being used.

• Remarketing: One speaks of “remarketing” or “retargeting” when, for example, it is noted for advertising purposes which products a user was interested in on a website in order to remind the user of these products on other websites, e.g. in advertisements.

• Location data: Location data is created when a mobile device (or another device with the technical requirements for location determination) connects to a radio cell, a WiFi, or similar technical intermediaries and functions of location determination. Location data is used to indicate the geographically determinable position on earth at which the respective device is located. Location data can e.g. B. can be used to display map functions or other information dependent on a location.

• Tracking: Tracking refers to the behavior of users that you can trace across several websites. As a rule, information on behavior and interest with regard to websites visited is stored in cookies or on servers of the providers of tracking technologies (so-called profiling). This information can then be used, for example, to show users advertisements that are likely to correspond to their interests.

• Data controller: Data controller refers to the natural or legal person, public authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data.

• Processing: Processing is any operation or series of operations carried out with or without the help of automated procedures in connection with personal data. The term is broad and covers virtually every aspect of dealing with data, be it collection, evaluation, storage, transmission or deletion.

• Target group formation: One speaks of target group formation (or “custom audiences”) when target groups are determined for advertising purposes, e.g. displaying advertisements. For example, based on a user’s interest in certain products or topics on the Internet, it can be concluded that this user is interested in advertisements for similar products or the online shop in which they viewed the products. One speaks of “lookalike audiences” (or similar target groups), in turn, when the content assessed as suitable is displayed to users whose profiles or interests presumably correspond to the users for whom the profiles were created. Cookies and web beacons are usually used for the purpose of creating custom and lookalike audiences.