Privacy policy

Preamble

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as "data") we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").

The terms used are not gender-specific.

As of: January 9, 2026

Table of Contents

• Preamble
• Controller
• Contact Data Protection Officer
• Overview of Processing
• Applicable Legal Bases
• Security Measures
• Transfer of Personal Data
• International Data Transfers
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Business Services
• Business Processes and Procedures
• Use of Online Platforms for Marketing and Sales Purposes
• Providers and Services Used in Business Operations
• Payment Procedures
• Provision of Online Offer and Web Hosting
• Use of Cookies
• Contact and Inquiry Management
• Web Analytics, Monitoring and Optimization
• Online Marketing
• Social Media Presences
• Plugins and Embedded Functions and Content
• Management, Organization and Auxiliary Tools
• Application Procedures
• Changes and Updates
• Definitions

Controller

Clatronic International GmbH
Industriering Ost 40
47906 Kempen
Germany

Authorized representatives: Emanuel Classen, Philipp Classen

Email: info@clatronic.de

Phone: +49 2152 2006-0

Imprint: https://www.clatronic.de/impressum

Contact Data Protection Officer

eMGe-DaTa
Michaela Genderka
Blumenstr.13
47918 Tönisvorst

Phone: +49 (0) 2151 94 22 060

Email: m.genderka@emge-data.de

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects concerned.

Types of Data Processed

• Master data.
• Payment data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication and process data.
• Applicant data.
• Log data.

Categories of Data Subjects

• Service recipients and clients.
• Employees.
• Prospects.
• Communication partners.
• Users.
• Applicants.
• Business and contractual partners.
• Third parties.
• Customers.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.
• Communication.
• Security measures.
• Reach measurement.
• Tracking.
• Office and organizational procedures.
• Remarketing.
• Conversion measurement.
• Audience formation.
• Organizational and administrative procedures.
• Application procedures.
• Feedback.
• Marketing.
• Profiles with user-related information.
• Provision of our online offer and user-friendliness.
• Information technology infrastructure.
• Financial and payment management.
• Public relations.
• Sales promotion.
• Business processes and economic procedures.

Applicable Legal Bases

Applicable legal bases under the GDPR: Below you will find an overview of the GDPR legal bases on which we process personal data. Please note that, in addition to the GDPR, national data protection requirements may apply in your or our country of residence or establishment. If more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) - The data subject has given consent to the processing of personal data relating to them for a specific purpose or multiple specific purposes.
• Contract performance and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) - Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
• Application process as pre-contractual or contractual relationship (Art. 6 para. 1 sentence 1 lit. b GDPR) - If, during the application process, special categories of personal data pursuant to Art. 9 para. 1 GDPR (e.g., health data, such as disability status or ethnic origin) are requested from applicants so that the controller or data subject can exercise their rights and fulfill their obligations arising from labor law and social security and social protection law, their processing is carried out pursuant to Art. 9 para. 2 lit. b GDPR. In cases of vital interest protection of the applicants or other persons pursuant to Art. 9 para. 2 lit. c GDPR, or for purposes of preventive medicine or occupational health, assessment of employee work capacity, medical diagnostics, care or treatment in the health or social sector, or management of systems and services in the health or social sector pursuant to Art. 9 para. 2 lit. h GDPR. In cases of voluntary consent to disclose special categories of data, processing is based on Art. 9 para. 2 lit. a GDPR.

National data protection regulations in Germany: In addition to the GDPR, national data protection regulations apply in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which contains specific regulations on the right to information, the right to deletion, the right to object, processing of special categories of personal data, processing for other purposes, transfers, and automated individual decision-making including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Note on GDPR and Swiss DPA: These privacy notices serve both for providing information under the Swiss Data Protection Act (DSG) and the GDPR. Therefore, we ask you to note that, due to broader geographic application and clarity, the terms of the GDPR are used. Specifically, instead of the Swiss DSG terms "processing" of "personal data," "overriding interest," and "particularly sensitive personal data," the GDPR terms "processing" of "personal data," "legitimate interest," and "special categories of data" are used. The legal meaning of the terms is nevertheless determined under the Swiss DSG where applicable.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, the nature, scope, circumstances, and purposes of the processing, as well as the varying probabilities and severity of threats to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

These measures particularly include securing the confidentiality, integrity, and availability of data through controlling physical and electronic access to the data, as well as access, input, transfer, backup, availability, and separation of the data. Furthermore, we have implemented procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data threats. In addition, we take data protection into account during the development or selection of hardware, software, and procedures in accordance with the principle of data protection by design and by default.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect the data of users transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by HTTPS in the URL. This serves as an indicator to users that their data is transmitted securely and encrypted.

Transfer of Personal Data

As part of our processing of personal data, it may be transferred to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of such data may include service providers commissioned with IT tasks or providers of services and content embedded in a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to ensure the protection of your data.

Data transfer within the corporate group: We may transfer personal data to other companies within our corporate group or grant them access. Such data transfers are based on our legitimate business and commercial interests. This includes, for example, improving business processes, ensuring efficient and effective internal communication, optimizing the use of our human and technological resources, and enabling informed business decisions. In certain cases, data transfer may also be necessary to fulfill our contractual obligations or may be based on the consent of the data subjects or a legal permission.

Data transfer within the organization: We may transfer personal data to other departments or units within our organization or grant them access. If the data transfer is for administrative purposes, it is based on our legitimate business and commercial interests or occurs if necessary to fulfill our contractual obligations, or if the data subject has given consent or there is a legal authorization.

International Data Transfers

Data processing in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in connection with the use of third-party services or the disclosure or transfer of data to other persons, entities, or companies (as indicated, for example, by the postal address of the respective provider or if the privacy policy explicitly refers to transfers to third countries), this is always done in compliance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which has been recognized as a secure legal framework by an adequacy decision of the EU Commission dated 10 July 2023. In addition, we have concluded Standard Contractual Clauses with the respective providers, which comply with the EU Commission requirements and establish contractual obligations to protect your data.

This dual protection ensures comprehensive safeguarding of your data: the DPF forms the primary level of protection, while the Standard Contractual Clauses provide additional security. If changes occur within the DPF framework, the Standard Contractual Clauses serve as a reliable fallback option. This ensures that your data remains adequately protected even in the event of political or legal changes.

For each service provider, we inform you whether they are certified under the DPF and whether Standard Contractual Clauses are in place. Further information on the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, appropriate safeguards apply, in particular Standard Contractual Clauses, explicit consent, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found on the EU Commission’s information page: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal requirements as soon as the underlying consents are withdrawn or no other legal basis for processing exists. This applies in cases where the original purpose of processing ceases or the data is no longer needed. Exceptions to this rule exist if legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax reasons, or whose storage is necessary for legal claims or the protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that specifically applies to certain processing activities.

When multiple retention periods or deletion deadlines are provided for a piece of data, the longest period always applies. Data that is retained not for the original purpose but due to legal requirements or other reasons is processed exclusively for the reasons justifying its retention.

Retention and deletion of data: The following general periods apply to retention and archiving under German law:

• 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balances, as well as the work instructions and other organizational documents required for their understanding (§ 147 para. 1 no. 1 in conjunction with para. 3 AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 in conjunction with para. 4 HGB).
• 8 years – Accounting documents, such as invoices and cost receipts (§ 147 para. 1 no. 4 and 4a in conjunction with para. 3 sentence 1 AO and § 257 para. 1 no. 4 in conjunction with para. 4 HGB).
• 6 years – Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents relevant for taxation, e.g., time sheets, internal cost accounting records, calculation documents, price labels, as well as payroll documents not already classified as accounting documents, and cash receipts (§ 147 para. 1 nos. 2, 3, 5 in conjunction with para. 3 AO, § 257 para. 1 nos. 2 and 3 in conjunction with para. 4 HGB).
• 3 years – Data required to consider potential warranty and compensation claims or similar contractual claims and rights, and to handle related inquiries, based on prior business experience and standard industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Start of the period at the end of the year: If a period does not explicitly start on a specific date and is at least one year, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the triggering event is the effective date of termination or other end of the legal relationship.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, in particular pursuant to Articles 15 to 21 GDPR:

• Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes; this also applies to profiling insofar as it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw given consents at any time.
• Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed, and access to this data as well as further information and a copy of the data in accordance with legal requirements.
• Right to rectification: You have the right to request the completion of your personal data or the correction of inaccurate personal data in accordance with legal requirements.
• Right to erasure and restriction of processing: You have the right to request that your personal data be deleted immediately, or alternatively, in accordance with legal requirements, to request restriction of processing.
• Right to data portability: You have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format or to request its transfer to another controller in accordance with legal requirements.
• Complaint to a supervisory authority: In accordance with legal requirements and without prejudice to other administrative or judicial remedies, you also have the right to lodge a complaint with a data protection supervisory authority, particularly in the member state where you usually reside, at your place of work, or at the location of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

Business Services

We process data of our contractual and business partners, e.g., customers and prospective clients (collectively referred to as “contractual partners”), in the context of contractual and similar legal relationships, as well as related measures and for communication with contractual partners (or pre-contractually), for example to respond to inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, obligations to provide agreed services, any update obligations, and remedies in case of warranty or other service disruptions. Furthermore, we use the data to safeguard our rights and for administrative purposes related to these obligations and organizational management. We also process the data based on our legitimate interests in proper and businesslike management, as well as security measures to protect our contractual partners and our business operations from misuse, threats to their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other auxiliary services, subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Within the limits of applicable law, we only share data with third parties to the extent necessary for the aforementioned purposes or to comply with legal obligations. Other types of processing, e.g., for marketing purposes, are communicated to contractual partners in this privacy policy.

Which data is required for the aforementioned purposes is communicated to contractual partners before or during data collection, e.g., in online forms, through special markings (e.g., colors) or symbols (e.g., asterisks), or personally.

We delete the data after the expiration of statutory warranty and similar obligations, generally after four years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal reasons (usually ten years for tax purposes). Data disclosed to us by the contractual partner as part of an order is deleted in accordance with the requirements and generally after the end of the order.

• Types of processed data: Master data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses, phone numbers); contract data (e.g., subject matter of the contract, duration, customer category); usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Data subjects: Service recipients and clients; prospects. Business and contractual partners.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; communication; office and organizational procedures; organizational and administrative processes; business processes and economic procedures.
• Retention and deletion: Deletion according to the section "General Information on Data Storage and Deletion".
• Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR); legal obligation (Art. 6 para. 1 lit. c GDPR); legitimate interests (Art. 6 para. 1 lit. f GDPR).

Further information on processing activities, procedures, and services:

• Online shop, order forms, e-commerce, and service fulfillment: We process our customers’ data to enable the selection, purchase, or ordering of chosen products, goods, and associated services, as well as their payment and provision, delivery, or execution. Where necessary for order execution, we use service providers, particularly postal, freight, and shipping companies, to deliver or execute the service to our customers. For payment processing, we use banks and payment service providers. Required information is clearly indicated in the context of the order or similar purchase process and includes the details needed for delivery, provision, billing, and contact information to allow for any necessary communication; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR).

Business Processes and Procedures

Personal data of service recipients and clients—including customers, clients, or in specific cases, legal clients, patients, business partners, and other third parties—are processed within the scope of contractual and similar legal relationships, as well as pre-contractual measures such as initiating business relationships. This data processing supports and facilitates business operations in areas such as customer management, sales, payment processing, accounting, and project management.

The collected data is used to fulfill contractual obligations and to optimize operational processes. This includes handling business transactions, managing customer relationships, optimizing sales strategies, and ensuring internal accounting and financial processes. Additionally, the data supports safeguarding the rights of the controller and facilitates administrative tasks and corporate organization.

Personal data may be shared with third parties if necessary to fulfill the aforementioned purposes or legal obligations. After statutory retention periods expire or when the purpose of processing no longer applies, the data is deleted. This also includes data that must be retained longer due to tax and legal record-keeping requirements.

• Types of processed data: Master data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses, phone numbers); content data (e.g., textual or visual messages and contributions, as well as related information such as authorship or creation date); contract data (e.g., subject matter of the contract, duration, customer category); usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); log data (e.g., log files regarding logins, data retrieval, or access times).
• Data subjects: Service recipients and clients; prospects; communication partners; business and contractual partners; customers; third parties; users (e.g., website visitors, online service users); employees (e.g., staff, applicants, temporary workers, and other personnel).
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; business processes and economic procedures; security measures; provision and usability of our online services; communication; marketing; sales promotion; public relations; financial and payment management; IT infrastructure (operation and provision of information systems and technical devices, e.g., computers, servers).
• Retention and deletion: Deletion according to the section "General Information on Data Storage and Deletion".
• Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 lit. f GDPR); legal obligation (Art. 6 para. 1 lit. c GDPR).

Further information on processing activities, procedures, and services:

• Contact management and maintenance: Procedures necessary for organizing, maintaining, and securing contact information (e.g., setting up and maintaining a central contact database, regularly updating contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, performing backups and restoring contact data, training employees on effective use of contact management software, regularly reviewing communication history and adjusting contact strategies); Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 lit. f GDPR).
• Customer account: Customers can create an account within our online services (e.g., customer or user account, "customer account"). If account registration is required, customers are informed about it and about the required data. Customer accounts are not public and cannot be indexed by search engines. During registration and subsequent logins or use of the account, we store customers’ IP addresses and access times to document registration and prevent misuse. Once the account is terminated, customer account data is deleted after the termination date unless retained for other purposes or legal reasons (e.g., internal storage of customer data, orders, or invoices). Customers are responsible for backing up their data upon account termination; Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 lit. f GDPR).
• General payment processing: Procedures required for payment transactions, monitoring bank accounts, and controlling cash flows (e.g., preparation and verification of transfers, processing direct debits, monitoring account statements, tracking incoming and outgoing payments, managing returns, account reconciliation, cash management); Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 lit. f GDPR).
• Accounting, accounts payable, and accounts receivable: Procedures for recording, processing, and controlling business transactions in accounts payable and receivable (e.g., preparing and reviewing incoming and outgoing invoices, monitoring and managing open items, executing payment transactions, managing dunning processes, account reconciliation for receivables and liabilities, accounts payable and receivable accounting); Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR), legal obligation (Art. 6 para. 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 lit. f GDPR).
• Financial accounting and taxes: Procedures for recording, managing, and controlling financially relevant business transactions, as well as calculating, reporting, and paying taxes (e.g., posting and booking business transactions, preparing quarterly and annual financial statements, processing payments, managing dunning procedures, account reconciliation, tax consulting, preparing and submitting tax returns, handling tax matters); Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR), legal obligation (Art. 6 para. 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 lit. f GDPR).
• Marketing, advertising, and sales promotion: Procedures required for marketing, advertising, and sales promotion (e.g., market analysis and target group identification, developing marketing strategies, planning and executing advertising campaigns, designing and producing marketing materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programs, sales promotion measures, performance measurement and optimization of marketing activities, budget management and cost control); Legal bases: Legitimate interests (Art. 6 para. 1 lit. f GDPR).
• Public relations: Procedures required for public relations (e.g., developing and implementing communication strategies, planning and executing PR campaigns, preparing and distributing press releases, maintaining media contacts, monitoring and analyzing media coverage, organizing press conferences and public events, crisis communication, creating content for social media and corporate websites, managing corporate branding); Legal bases: Legitimate interests (Art. 6 para. 1 lit. f GDPR).

Use of Online Platforms for Offer and Sales Purposes

We offer our services on online platforms operated by other service providers. In this context, in addition to our privacy notice, the privacy policies of the respective platforms also apply. This is especially relevant regarding the execution of payment transactions and the procedures used on the platforms for reach measurement and interest-based marketing.

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or telephone numbers); Contract data (e.g., contract subject, duration, customer category); Usage data (e.g., page views and duration of visits, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Data subjects: Service recipients and clients; business and contractual partners; prospects.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; marketing; business processes and economic procedures; conversion measurement (measuring the effectiveness of marketing measures); provision of our online services and user-friendliness.
• Retention and deletion: Deletion according to the information in the section "General information on data storage and deletion".
• Legal basis: Performance of a contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing procedures, methods, and services:

• Adobe Commerce: E-commerce platform for creating and managing online stores, product catalog management, order processing, customer account management, marketing and promotion tools, analysis and reporting functions; Service provider: Adobe Systems Software Ireland, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://business.adobe.com/products/magento/magento-commerce.html; Privacy policy: https://www.adobe.com/de/privacy.html; Data processing agreement: Provided by the service provider. Basis for transfers to third countries: Data Privacy Framework (DPF).

Providers and Services Used in the Course of Business Activities

In the course of our business activities, we use additional services, platforms, interfaces, or plug-ins from third-party providers (collectively "services"), in compliance with legal requirements. Their use is based on our interest in the proper, lawful, and economical management of our business operations and internal organization.

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or visual messages and contributions as well as related information, such as authorship or creation time); Contract data (e.g., contract subject, duration, customer category).
• Data subjects: Service recipients and clients; prospects; business and contractual partners.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; business processes and economic procedures.
• Retention and deletion: Deletion according to the information in the section "General information on data storage and deletion".
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing procedures, methods, and services:

• Elektro-technische Vertriebsgesellschaft mbH (subsidiary): Logistics and shipping services. We share certain personal data with Elektro-technische Vertriebsgesellschaft mbH to enable shipping and delivery of packages, including tracking and recipient notifications. This information may include recipients’ names, addresses, and contact details; Service provider: Elektro-technische Vertriebsgesellschaft mbH, Industriering Ost 40, 47906 Kempen; Website: https://www.profi-electro.de/; Privacy policy: https://www.profi-electro.de/datenschutz.

Payment Methods

In the context of contractual and other legal relationships, due to legal obligations, or based on our legitimate interests, we provide affected persons with efficient and secure payment options and use, in addition to banks and credit institutions, other service providers (collectively "payment service providers"). Payment transactions are carried out exclusively via encrypted connections according to the state of the art, so that the data entered is protected from unauthorized access during transmission.

Data processed by payment service providers includes master data, such as name and address, bank data, such as account or credit card numbers, passwords, TANs and verification codes, as well as contract, amount, and recipient-related information. These details are required to carry out the transactions. However, the entered data is processed and stored only by the payment service providers. That is, we do not receive account or credit card-related information, only confirmation or rejection of the payment. In some cases, the data may be transmitted by the payment service providers to credit agencies for identity and creditworthiness checks. For this, we refer to the terms and conditions and privacy notices of the payment service providers.

For payment transactions, the terms and conditions and privacy notices of the respective payment service providers apply, which are available on their respective websites or transaction applications. We refer to these for further information and for asserting rights of withdrawal, access, and other data subject rights.

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contract data (e.g., contract subject, duration, customer category); Usage data (e.g., page views and duration of visits, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Data subjects: Service recipients and clients; business and contractual partners.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; business processes and economic procedures.
• Retention and deletion: Deletion according to the information in the section "General information on data storage and deletion".
• Legal basis: Performance of a contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing procedures, methods, and services:

• Mollie: Payment services (technical integration of online payment methods); Service provider: Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands; Legal basis: Performance of a contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR); Website: https://www.mollie.com/de; Privacy policy: https://www.mollie.com/de/privacy.

Provision of the Online Service and Web Hosting

We process user data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

• Types of data processed: Usage data (e.g., page views and duration of visits, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved persons); Log data (e.g., log files concerning logins, data retrieval, or access times).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online services and user-friendliness; information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); security measures.
• Retention and deletion: Deletion according to the information in the section "General information on data storage and deletion".
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing procedures, methods, and services:

• Provision of online service on rented server space: For providing our online services, we use storage space, computing capacity, and software rented or otherwise obtained from a server provider (also "web host"); Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• Collection of access data and log files: Access to our online services is logged in the form of so-called "server log files." Server log files may include the address and name of requested web pages and files, date and time of access, transmitted data volume, successful retrieval report, browser type and version, user’s operating system, referrer URL (previously visited page), and usually IP addresses and the requesting provider. Server log files may be used for security purposes, e.g., to prevent server overload (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure server utilization and stability; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidentiary purposes is excluded from deletion until the relevant incident is fully resolved.
• Hetzner: Services in the field of providing IT infrastructure and related services (e.g., storage space and/or computing capacity); Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://www.hetzner.com; Privacy policy: https://www.hetzner.com/de/rechtliches/datenschutz; Data processing agreement: https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/.

Use of Cookies

The term “cookies” refers to functions that store information on users’ devices and read it from them. Cookies can also be used for various purposes, such as ensuring the functionality, security, and convenience of online services, as well as generating analyses of visitor flows. We use cookies in accordance with legal requirements. If necessary, we obtain users’ consent beforehand. If consent is not required, we rely on our legitimate interests. This applies when storing and reading information is essential to provide explicitly requested content and functions. This includes, for example, storing settings and ensuring the functionality and security of our online offerings. Consent can be revoked at any time. We provide clear information about the scope of consent and which cookies are used.

Notes on data protection legal bases: Whether we process personal data using cookies depends on consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Storage duration: Regarding storage duration, the following types of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their device (e.g., browser or mobile application).
• Persistent cookies: Persistent cookies remain stored even after the device is closed. For example, login status can be saved, and preferred content can be displayed immediately when the user revisits a website. User data collected via cookies can also be used for audience measurement. If we do not provide users with explicit information about the type and storage duration of cookies (e.g., when obtaining consent), they should assume that these are persistent and may be stored for up to two years.

General notes on withdrawal and objection (opt-out): Users can revoke the consents they have given at any time and also object to the processing in accordance with legal requirements, including via their browser’s privacy settings.

• Types of data processed: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Data subjects: Users (e.g., website visitors, users of online services).
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Further notes on processing procedures, methods, and services:

• Processing of cookie data based on consent: We use a consent management solution, where users’ consent to the use of cookies or the procedures and providers named within the consent management solution is obtained. This procedure serves to obtain, log, manage, and revoke consent, particularly regarding the use of cookies and similar technologies used to store, read, and process information on users’ devices. Within this procedure, users’ consent for the use of cookies and related data processing, including the specific processing and providers named in the consent management process, is obtained. Users also have the option to manage and revoke their consents. Consent declarations are stored to avoid repeated requests and to document consent in accordance with legal requirements. Storage is server-side and/or in a cookie (so-called opt-in cookie) or via similar technologies to assign the consent to a specific user or device. Unless specific information about consent management service providers is provided, the following general notes apply: The storage duration of consent is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, information about the scope of consent (e.g., relevant categories of cookies and/or service providers), and information about the browser, system, and device used; Legal basis: Consent (Art. 6(1)(a) GDPR).
• Usercentrics: Storage and management of consents (agreement to cookies and data processing), logging of user decisions, display of privacy and cookie notices, enabling users to revoke or adjust consents; Service provider: Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany; Website: https://usercentrics.com/de/; Privacy policy: https://usercentrics.com/de/datenschutzerklaerung/.

Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, phone, or via social media) and within existing user and business relationships, the data of the inquiring persons is processed to the extent necessary to respond to contact requests and any requested measures.

• Types of data processed: Master data (e.g., full name, address, contact details, customer number, etc.); contact data (e.g., postal and email addresses, phone numbers); content data (e.g., text or image messages and contributions as well as related information such as authorship or creation time); usage data (e.g., page views, dwell time, click paths, usage frequency and intensity, device types and operating systems, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Data subjects: Communication partners.
• Purpose of processing: Communication; organizational and administrative processes; feedback (e.g., collecting feedback via online form). Provision of our online services and user-friendliness.
• Storage and deletion: Deletion in accordance with the section "General information on data storage and deletion".
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Performance of a contract and pre-contractual requests (Art. 6(1)(b) GDPR).

Further notes on processing procedures, methods, and services:

• Contact form: When contacting us via our contact form, email, or other communication channels, we process the personal data provided to answer and handle the respective request. This typically includes information such as name, contact details, and, if applicable, additional information provided to handle the request appropriately. We use this data solely for the specified purpose of contact and communication; Legal bases: Performance of a contract and pre-contractual requests (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Web Analysis, Monitoring, and Optimization

Web analysis (also called “audience measurement”) serves to evaluate the visitor flows of our online offerings and may include behavior, interests, or demographic information of visitors, such as age or gender, as pseudonymous values. Through audience analysis, we can identify, for example, the times when our online offerings or their functions and content are most frequently used or invite reuse. It also enables us to determine which areas require optimization.

In addition to web analysis, we may also use testing procedures to test and optimize different versions of our online offerings or their components.

Unless otherwise specified below, profiles can be created for these purposes, i.e., data aggregated for a single usage session, and information can be stored in a browser or device and read from there. Collected data includes visited websites and used elements, as well as technical information such as the browser used, the computer system, and usage times. If users have consented to the collection of their location data, processing of location data is also possible.

Moreover, users’ IP addresses are stored. We use an IP-masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear personal data (such as email addresses or names) are stored in the context of web analysis, A/B testing, and optimization; only pseudonyms are used. This means that neither we nor the providers of the software know the actual identity of users, only the information stored in the profiles for the purposes of these procedures.

Notes on legal bases: If we request users’ consent for the use of third-party services, the legal basis for processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we also refer to the information on cookie usage in this privacy policy.

• Types of data processed: Usage data (e.g., page views, dwell time, click paths, usage frequency and intensity, device types and operating systems, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Audience measurement (e.g., access statistics, recognition of recurring visitors); creation of user profiles; remarketing.
• Storage and deletion: Deletion in accordance with the section "General information on data storage and deletion". Cookies stored for up to 2 years (unless otherwise specified, cookies and similar storage methods may be stored on users’ devices for up to two years).
• Security measures: IP-masking (pseudonymization of IP addresses).
• Legal bases: Consent (Art. 6(1)(a) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing procedures, methods, and services:

• Matomo: Matomo is software used for web analysis and audience measurement. When using Matomo, cookies are generated and stored on users’ devices. Data collected via Matomo is only processed by us and not shared with third parties. Cookies are stored for a maximum of 13 months: https://matomo.org/faq/general/faq_146/; Legal basis: Consent (Art. 6(1)(a) GDPR). Data deletion: Cookies are stored for a maximum of 13 months.

Online Marketing

We process personal data for online marketing purposes, which includes, in particular, the marketing of advertising spaces or the display of advertising and other content (collectively referred to as “content”) based on potential user interests, as well as measuring their effectiveness.

For these purposes, user profiles may be created and stored in a file (the so-called “cookie”) or similar methods may be used to store the information relevant to displaying the above content. This may include, for example, content viewed, websites visited, online networks used, communication partners, and technical information such as the browser used, computer system, and usage times and functions. If users have consented to the collection of location data, this may also be processed.

Users’ IP addresses are also stored. We use IP-masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear personal data (such as email addresses or names) are stored in the online marketing process, only pseudonyms. This means that neither we nor the providers of the online marketing procedures know the actual identity of users, only the information stored in profiles.

Profile information is generally stored in cookies or via similar procedures. These cookies may later also be read on other websites using the same online marketing procedure, analyzed for content display purposes, supplemented with additional data, and stored on the marketing provider’s server.

Exceptionally, clear personal data may be assigned to profiles, primarily if users are members of a social network whose online marketing procedure we use, and the network links user profiles with the above information. Users may make additional agreements with providers, e.g., through consent during registration.

We generally only receive access to aggregated information about the success of our ads. However, conversion tracking allows us to determine which online marketing procedures led to a conversion, e.g., a contract with us. Conversion tracking is only used to analyze the success of our marketing measures.

Unless otherwise specified, assume that cookies used are stored for a period of two years.

Notes on legal bases: If we request users’ consent for third-party services, the legal basis for data processing is consent. Otherwise, data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). We also refer to the information on cookie usage in this privacy policy.

Notes on withdrawal and objection:

We refer to the privacy notices of the respective providers and the opt-out options specified by them. If no explicit opt-out option is provided, you can disable cookies in your browser settings. This may restrict some functions of our online services. We additionally recommend the following opt-out options offered regionally:

a) Europe: https://www.youronlinechoices.eu

b) Canada: https://youradchoices.ca/

c) USA: https://optout.aboutads.info/

d) Global: https://optout.aboutads.info

• Types of data processed: Usage data (e.g., page views, dwell time, click paths, usage frequency and intensity, device types and operating systems, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Audience measurement (e.g., access statistics, recognition of recurring visitors); tracking (e.g., interest-/behavior-based profiling, use of cookies); audience building; marketing; creation of user profiles. Provision of our online services and user-friendliness.
• Storage and deletion: Deletion in accordance with the section "General information on data storage and deletion". Cookies stored for up to 2 years (unless otherwise specified, cookies and similar storage methods may be stored on users’ devices for up to two years).
• Security measures: IP-masking (pseudonymization of IP addresses).
• Legal bases: Consent (Art. 6(1)(a) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing procedures, methods, and services:

• Google Ad Manager: We use the service "Google Ad Manager" to place ads in the Google advertising network (e.g., in search results, videos, websites, etc.). Google Ad Manager displays ads in real-time based on presumed user interests. This allows us to show ads to users potentially interested in our offerings and measure ad performance; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF); More information: Processing types and processed data: https://business.safety.google/adsservices/; Processing terms for Google advertising products: Information on services, processing terms between controllers, and standard contractual clauses for third-country data transfers: https://business.safety.google/adscontrollerterms; if Google acts as a processor, processing terms for Google advertising products and standard contractual clauses for third-country transfers: https://business.safety.google/adsprocessorterms.
• Google Adsense with personalized ads: We use the Google Adsense service to place personalized ads within our online offerings. Google Adsense analyzes user behavior and uses this data to deliver targeted advertising tailored to our visitors’ interests. We receive financial compensation for each ad placement or other use of these ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF); More information: Processing types and processed data: https://business.safety.google/adsservices/; Processing terms for Google advertising products: Information on services, processing terms between controllers, and standard contractual clauses for third-country transfers: https://business.safety.google/adscontrollerterms.

Social Media Presence

We maintain online presences within social networks and, in this context, process user data to communicate with users active there or to provide information about us.

We point out that user data may be processed outside the territory of the European Union. This may entail risks for users, for example, making it more difficult to enforce their rights.

Furthermore, users’ data within social networks is generally processed for market research and advertising purposes. For instance, usage profiles may be created based on users’ behavior and resulting interests. These profiles may, in turn, be used to display advertisements within and outside the networks that are likely to match users’ interests. Therefore, cookies are usually stored on users’ devices, storing information about user behavior and interests. In addition, data in user profiles may also be stored independently of the devices used by the users (especially if they are members of the respective platforms and logged in there).

For a detailed description of the respective processing methods and the available opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.

Even in the case of information requests and the exercise of data subject rights, we point out that these can be most effectively asserted with the providers themselves. Only they have access to the user data and can directly take appropriate measures and provide information. However, if you need assistance, you may contact us.

• Types of data processed: Contact data (e.g., postal and email addresses, phone numbers); content data (e.g., textual or image messages and posts, as well as related information such as authorship or creation time). Usage data (e.g., page views and dwell time, click paths, usage frequency and intensity, device types and operating systems, interactions with content and functions).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Communication; feedback (e.g., collecting feedback via online form). Public relations.
• Storage and deletion: Deletion according to the section "General information on data storage and deletion".
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing procedures, methods, and services:

• YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Privacy policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF). Opt-out option: https://myadcenter.google.com/personalizationoff.

Plugins and Embedded Features and Content

We integrate functional and content elements into our online offerings, which are retrieved from the servers of their respective providers (hereinafter referred to as “third-party providers”). These can, for example, include graphics, videos, or maps (hereinafter uniformly referred to as “content”).

The integration always assumes that the third-party providers of this content process the users’ IP addresses, as they could not send the content to their browsers without an IP address. The IP address is thus required for displaying these content elements or functions. We endeavor to use only content whose providers use the IP address solely to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also called “web beacons”) for statistical or marketing purposes. Pixel tags can collect information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on users’ devices and may include, among other things, technical details about the browser and operating system, referring websites, time of visit, and further information about the use of our online offerings, as well as be combined with information from other sources.

Notes on legal bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is the permission granted. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we also refer to the information on cookie usage in this privacy policy.

• Types of data processed: Usage data (e.g., page views and dwell time, click paths, usage frequency and intensity, device types and operating systems, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online offerings and user-friendliness; reach measurement (e.g., access statistics, recognition of recurring visitors); tracking (e.g., interest-/behavior-based profiling, use of cookies); audience building; marketing.
• Storage and deletion: Deletion according to the section "General information on data storage and deletion". Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for up to two years).
• Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing procedures, methods, and services:

• Google Fonts (retrieved from Google servers): Retrieval of fonts (and symbols) to ensure technically secure, maintenance-free, and efficient use of fonts and symbols with regard to updates and loading times, uniform display, and consideration of possible licensing restrictions. The provider of the fonts receives the user’s IP address so that the fonts can be provided in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) are transmitted, which are necessary for delivering the fonts depending on the devices and technical environment used. These data may be processed on a server of the font provider in the USA — when visiting our online offering, users’ browsers send HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) of Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of the website visitors, as well as the referrer URL (i.e., the website where the Google font should be displayed). IP addresses are neither logged nor stored on Google servers and are not analyzed. The Google Fonts Web API logs details of the HTTP requests (requested URL, user agent, and referrer URL). Access to these data is restricted and strictly controlled. The requested URL identifies the font families that the user wishes to load. These data are logged so that Google can determine how often a specific font family is requested. The user agent must adapt the font for the respective browser type. The user agent is mainly logged and used for debugging and to generate aggregated usage statistics that measure the popularity of font families. These aggregated usage statistics are published on the "Analytics" page of Google Fonts. Finally, the referrer URL is logged so that the data can be used for production maintenance and an aggregated report of top integrations based on the number of font requests can be generated. According to Google, none of the information collected by Google Fonts is used to create profiles of end users or deliver targeted advertising; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://fonts.google.com/; Privacy policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF). Further information: https://developers.google.com/fonts/faq/privacy?hl=de.
• YouTube videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF). Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for ad display: https://myadcenter.google.com/personalizationoff.

Management, Organization, and Support Tools

We use services, platforms, and software from other providers (hereinafter referred to as “third-party providers”) for the purposes of organization, administration, planning, and delivery of our services. When selecting third-party providers and their services, we comply with legal requirements.

In this context, personal data may be processed and stored on the servers of the third-party providers. Various types of data may be affected, which we process in accordance with this privacy policy. These may include, in particular, master data and contact data of users, data on transactions, contracts, other processes, and their content.

If users are referred to third-party providers or their software/platforms in the context of communication, business, or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization, or marketing purposes. We therefore ask that users pay attention to the privacy notices of the respective third-party providers.

• Types of data processed: Content data (e.g., textual or image messages and posts, as well as related information such as authorship or creation time); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Data subjects: Communication partners; users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures.
• Storage and deletion: Deletion according to the section "General information on data storage and deletion".
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Application Procedure

The application procedure requires applicants to provide us with the data necessary for their evaluation and selection. Which information is required is derived from the job description or, in the case of online forms, from the information requested there.

Generally, required information includes personal data such as name, address, a contact option, and proof of qualifications necessary for the position. Upon request, we are happy to provide additional information on which data is required.

Applicants may submit their applications via our online form, which is encrypted according to the latest state of the art. Alternatively, it is also possible to send applications via email. However, we point out that emails are generally not transmitted in encrypted form over the Internet. Although emails are usually encrypted during transmission, this does not apply to the servers from which they are sent or received. Therefore, we cannot take responsibility for the security of applications during their transmission from the sender to our server.

For the purposes of applicant search, submission of applications, and selection of applicants, we may, in compliance with legal requirements, use applicant management or recruitment software and platforms provided by third-party providers.

Applicants are welcome to contact us regarding the method of submission or send their applications by post.

Processing of special categories of data: If, in the context of the application procedure, special categories of personal data (Art. 9(1) GDPR, e.g., health data such as disability status or ethnic origin) are requested from or provided by applicants, processing is carried out to enable the controller or the data subject to exercise their rights and fulfill their obligations under labor law and social security law, to protect the vital interests of applicants or other persons, or for purposes of health care, occupational medicine, assessment of working capacity, medical diagnostics, health or social care, or management of systems and services in the health or social sector.

Deletion of data: Data provided by applicants may be further processed in the event of a successful application for the purposes of the employment relationship. Otherwise, if the application is unsuccessful, the applicants’ data will be deleted. Applicants’ data will also be deleted if the application is withdrawn, which applicants may do at any time. Deletion will take place, subject to a justified objection by the applicant, no later than six months after submission, so that we can respond to any follow-up questions regarding the application and meet our obligations under anti-discrimination laws. Receipts for any travel cost reimbursement will be archived according to tax regulations.

Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the ongoing application process, and may be revoked at any time for the future.

• Types of data processed: Master data (e.g., full name, address, contact information, customer number, etc.); contact data (e.g., postal and email addresses, phone numbers); content data (e.g., textual or image messages and posts, as well as related information such as authorship or creation time); applicant data (e.g., personal information, postal and contact addresses, application documents and the information contained therein, such as cover letters, CVs, certificates, and additional voluntarily provided information relevant to a specific position).
• Data subjects: Applicants.
• Purposes of processing: Application procedure (initiation and potential later execution, as well as possible subsequent termination of the employment relationship).
• Storage and deletion: Deletion according to the section "General information on data storage and deletion".
• Legal bases: Application procedure as a pre-contractual or contractual relationship (Art. 6(1)(b) GDPR).

Changes and Updates

We ask that you regularly review the content of our privacy policy. We update the privacy policy whenever changes to our data processing activities make it necessary. We will inform you if changes require an action on your part (e.g., consent) or other individual notification.

If we provide addresses and contact information of companies or organizations in this privacy policy, please note that addresses may change over time, and we ask that you check the information before making contact.

Responsible supervisory authority:

Data Protection Commissioner of North Rhine-Westphalia
Kavalleriestraße 2-4
40213 Düsseldorf

Phone: +49 211 384240

https://www.ldi.nrw.de/

Definitions of Terms

This section provides an overview of the terminology used in this privacy policy. Where terms are legally defined, their legal definitions apply. The explanations below are primarily intended to aid understanding.

• Employees: "Employees" refers to individuals who are in an employment relationship, whether as staff, employees, or in similar positions. An employment relationship is a legal relationship between an employer and an employee, established by an employment contract or agreement. It includes the employer's obligation to pay remuneration while the employee performs their work. The employment relationship includes various phases, including initiation, during which the contract is concluded, execution, during which the employee performs their duties, and termination, when the employment relationship ends, whether by resignation, termination agreement, or other means. Employee data encompasses all information relating to these individuals in the context of their employment, including personal identification data, identification numbers, salary and banking information, working hours, vacation entitlements, health data, and performance evaluations.
• Master Data: Master data includes essential information necessary for the identification and management of contractual partners, user accounts, profiles, and similar assignments. This may include personal and demographic information such as names, contact details (addresses, phone numbers, email addresses), birth dates, and specific identifiers (user IDs). Master data forms the basis for any formal interaction between individuals and services, facilities, or systems, enabling unique identification and communication.
• Content Data: Content data includes information generated during the creation, editing, and publication of all types of content. This category can include texts, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited to the content itself but also includes metadata providing information about the content, such as tags, descriptions, authorship, and publication dates.
• Contact Data: Contact data is essential information that enables communication with individuals or organizations. It includes, among other things, phone numbers, postal addresses, email addresses, and communication channels such as social media handles and instant messaging identifiers.
• Conversion Measurement: Conversion measurement (also called “visit action analysis”) is a process used to assess the effectiveness of marketing measures. Typically, a cookie is stored on users’ devices within the websites where marketing measures take place and is later retrieved on the target website. This allows us, for example, to track whether ads we placed on other websites were successful.
• Meta, Communication, and Procedural Data: These categories include information about how data is processed, transmitted, and managed. Metadata, also known as data about data, provides context, origin, and structure of other data, including file size, creation date, document author, and change history. Communication data captures the exchange of information between users through channels such as emails, call logs, social media messages, and chat histories, including participants, timestamps, and transmission paths. Procedural data describes processes and workflows within systems or organizations, including workflow documentation, transaction logs, activity logs, and audit logs used to trace and verify processes.
• Usage Data: Usage data refers to information on how users interact with digital products, services, or platforms. This includes a wide range of information showing how users use applications, which features they prefer, how long they spend on certain pages, and which paths they navigate within an application. Usage data may also include frequency of use, timestamps of activities, IP addresses, device information, and location data. Usage data is particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. It also plays a key role in identifying trends, preferences, and potential issues in digital offerings.
• Personal Data: "Personal data" is any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier (e.g., cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• User Profile Information: The processing of "user profile information," or "profiles," refers to any automated processing of personal data used to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the profiling type, this may include demographic, behavioral, and interest information, such as interaction with websites and content). Profiling often uses cookies and web beacons to predict interests in content or products, click behavior on a website, or location.
• Log Data: Log data is information about events or activities recorded in a system or network. This typically includes timestamps, IP addresses, user actions, error messages, and other details about system use or operation. Log data is often used for system analysis, security monitoring, or performance reporting.
• Reach Measurement: Reach measurement (also called web analytics) evaluates visitor traffic to an online offering and can include information on visitor behavior or interests in certain information, such as website content. Reach analysis allows operators to determine when users visit their websites and which content interests them, enabling better tailoring of website content. Pseudonymous cookies and web beacons are commonly used to recognize returning visitors and perform more accurate usage analysis.
• Remarketing: "Remarketing" or "retargeting" refers to tracking a user’s interest in certain products on a website in order to display related advertisements to the user on other websites.
• Tracking: "Tracking" refers to monitoring user behavior across multiple online offerings. Behavioral and interest information is typically stored in cookies or on servers of tracking technology providers (so-called profiling). This information can then be used, for example, to display advertisements that are likely to match the user’s interests.
• Controller: The "controller" is the natural or legal person, authority, organization, or other body that alone or jointly with others determines the purposes and means of processing personal data.
• Processing: "Processing" is any operation or set of operations performed on personal data, with or without automated means. The term is broad and encompasses practically any handling of data, including collection, evaluation, storage, transmission, or deletion.
• Contract Data: Contract data is specific information relating to the formalization of an agreement between two or more parties. It documents the conditions under which services or products are provided, exchanged, or sold. This includes identification of contracting parties, contract start and end dates, agreed services or products, price agreements, payment terms, termination rights, renewal options, and special conditions or clauses. Contract data forms the legal basis of the relationship between the parties and is essential for determining rights and obligations, enforcing claims, and resolving disputes.
• Payment Data: Payment data includes all information necessary to process financial transactions between buyers and sellers. This may include credit card numbers, bank account details, payment amounts, transaction data, verification numbers, and invoice information, as well as details on payment status, chargebacks, authorizations, and fees.
• Audience Targeting: "Audience targeting" (Custom Audiences) refers to the creation of target groups for advertising purposes, e.g., displaying ads to users based on their interest in certain products or topics. "Lookalike Audiences" are similar groups where content is shown to users whose profiles or interests are presumed to match those of the original audience. Cookies and web beacons are usually used for creating Custom and Lookalike Audiences.