Privacy Policy

Privacy Policy for the website https://planubo.com

This Privacy Policy explains what personal data is collected on our website and for what purposes it is used.

I.        Name and address of the controller

The data controller within the meaning of the General Data Protection Regulation (“GDPR”) and other national data protection laws of the member states, as well as other data protection regulations, is:

Planubo GbR

Am Hirtengarten 2

77743 Neuried

Germany

Tel.: +49 7807 89089 76

Email: info@planubo.com

Website: https://planubo.com/

II.       General Information on Data Processing on Our Website

1.       Description and scope of personal data processing

The processing of our users’ personal data generally takes place only to the extent necessary to provide our website, as well as our content and services. To the extent required by law, processing in individual cases occurs only with the user’s consent. Exceptions apply in cases where the processing of personal data is already permitted by other legal provisions.

2.       Legal basis for the processing of personal data

To the extent that consent from the data subject is obtained for the processing of personal data, we process the data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, provided that special categories of personal data are processed. In the event of explicit consent to the transfer of personal data to third countries outside the EU/EEA, data processing is additionally carried out on the basis of Article 49(1)(a) of the GDPR. To the extent that the processing of personal data is necessary for the performance of a contract or for the implementation of pre-contractual measures, Article 6(1)(b) of the GDPR serves as the legal basis. We also process personal data to the extent that this is necessary to comply with a legal obligation pursuant to Article 6(1)(c) of the GDPR. To the extent that processing is necessary to safeguard a legitimate interest of our company or a third party and the interests, fundamental rights, and freedoms of the data subject do not override this interest, Article 6(1)(f) of the GDPR serves as the legal basis for the processing. Please refer to the subsequent sections of this Privacy Policy to determine which legal basis applies to the respective data processing.

3.       Duration of Storage and Obligation to Erase Data

We generally store the personal data of data subjects only for as long as is legally permissible. Unless a specific retention period is specified for individual data processing operations, the personal data of the data subject will be deleted (or blocked) in particular as soon as the respective purpose of storage no longer exists. Furthermore, storage may only take place if this has been provided for by European or national legislators in relevant regulations, laws, or other provisions applicable to us as the data controller. Deletion (or blocking) of personal data may also occur if a storage period or retention period prescribed by the aforementioned regulations expires, unless the storage of the data subject’s personal data is necessary for the conclusion or performance of a contract or other legal grounds require further storage.

4.       Transfer of Personal Data Outside the EU/EEA

In the context of using services or applications provided by third-party providers, data processing may take place in third countries outside the member states of the European Union (EU) or the contracting states of the Agreement on the European Economic Area (EEA). For this purpose, the European Commission has issued an adequacy decision pursuant to Art. 45(1) GDPR for some of these third countries, confirming under certain conditions that adequate protection for personal data exists in the respective country. The list of currently valid adequacy decisions by the European Commission can be found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. The scope of these adequacy decisions may vary from country to country. For example, the adequacy decision for the United States of America (USA) applies only if the respective data recipient in the USA can demonstrate certification under the so-called EU-US Data Privacy Framework with the US Department of Commerce. Information on this can be found below under the respective providers.

In cases where no adequacy decision has been issued by the European Commission, appropriate agreements are generally entered into with the respective service providers, such as the conclusion of standard contractual clauses, which are intended, among other things, to ensure a level of data protection that is adequate by European standards. In addition—to the extent required by applicable data protection laws—further protective measures (e.g., encryption and additional contractual provisions regarding guarantees, etc.) are taken to ensure an adequate level of protection for your personal data.

In this privacy policy, we expressly indicate the legal basis on which data is transferred to the respective third country.

III.      Data Processing in Connection with the Provision of the Website and the Creation of Log Files

1.       Description and Scope of Personal Data Processing

Each time a user accesses our website, the system automatically collects data and information from the computer system of the user’s accessing device. In particular, the following data is collected:

•               User’s IP address

•               Date and time of access

•               Website visited

•               Source/link from which the user accessed our website

•               Information about the browser type and version used

•               The user’s operating system

The aforementioned data is also stored in our system’s log files. However, this data is not stored together with other personal data of the user.

We use a web hosting provider to collect and store data, with whom we have entered into a data processing agreement. The provider is STRATO GmbH, Otto-Ostrowski-Straße 7, 10249 Berlin. Further information about the provider and the privacy policy can be found here: https://www.strato.de/datenschutz/

2.       Purpose of processing personal data

The purpose of temporarily storing the IP address by our system is to deliver our website to the user’s device. For this, it is essential that the user’s IP address remains stored for the duration of the session.

The purpose of storing data in the log files is to ensure the functionality of our website. This data is also used for technical optimization and testing the stability of the website, as well as to ensure the security of our IT systems.

3.       Legal basis for the processing of personal data

The legal basis for the temporary storage of data and the storage of data in log files is Art. 6(1)(f) GDPR. The aforementioned purposes also constitute our legitimate interest in data processing pursuant to Article 6(1)(f) of the GDPR. It is not apparent that the interests, fundamental rights, and freedoms of the data subject outweigh this interest.

4.       Duration of Storage and Data Deletion

In principle, the data is deleted as soon as it is no longer necessary for the purpose for which it was collected ( ). In the case of data collected for the provision of the website, this occurs when the respective session ends. No further storage of the data takes place.

If data is stored in log files, this occurs after seven days at the latest. If storage extends beyond this period, the users’ IP addresses are deleted or truncated in such a way that the accessing device can no longer be identified.

5.       Right to Object and Right to Erasure

As is evident from the purpose of data processing, the collection of the aforementioned data for the provision of our website and the storage of data in log files are absolutely necessary for the operation of the website. For this reason, the user has no right to object.

IV.      Use of a consent management service (Cookie Consent Manager)

1.       Description and scope of the processing of personal data

We use the consent management service “Devowl Real Cookie Banner” provided by devowl.io GmbH, located at Tannet 12, 94539 Grafling (hereinafter “Real Cookie Banner”). When you visit our website, the system automatically collects data and information from the computer system of the user’s device accessing the site. The following data is collected in this case through the use of the service:

•               Opt-in and opt-out data

•               Referrer URL

•               User Agent

•               User settings

•               Consent ID

•               Time of consent

•               Consent type

•               Template version

•               Banner language

Since the data is stored exclusively by us and the provider has no access to this data, the provider states that entering into a data processing agreement is not necessary. The provider’s privacy policy and further information can be found here: https://devowl.io/de/datenschutzerklaerung/.

2.       Purpose of processing personal data

The service is used by integrating it into our website to enable the collection of legally required consents. This serves to comply with legal obligations, according to which data processing requiring consent may only be carried out via the website if the user has given their consent. Both the storage and the management of the obtained consents take place exclusively on our servers and not through the service. This also applies in the event of the revocation of the consent granted.

3.       Legal basis for the processing of personal data

The legal basis is Article 6(1)(c) of the GDPR, based on the legal obligation to store the aforementioned data.

4.       Duration of storage and data deletion

In principle, the transmitted data is deleted as soon as it is no longer necessary for the purpose for which it was collected. The retention period is the time during which the collected data is stored for processing.

Consent data (consent granted and withdrawal of consent) is stored for three years. The data is then deleted immediately.

5.       Right to Object and Right to Erasure

The collection and storage of data are required by law for the operation of the website. Consequently, the user has no right to object.

V.       Use of and Data Processing via Cookies

1.       Description and Scope of Personal Data Processing

We use cookies in connection with the provision of our website. These are data records that are stored in the web browser or by the web browser on the user’s device. As soon as a user visits a website, a cookie may be stored on the user’s device. The respective cookie contains a unique string of characters that generally allows for the unambiguous identification of the browser when the website is visited again. Cookies are stored on your device either temporarily for the duration of a session (so-called “session cookies”) or permanently (so-called “permanent cookies”).

We use technically necessary cookies to ensure our website functions properly. In this regard, some elements of our website require that the accessing browser can be recognized even after a page change. The following information is stored and transmitted in the respective cookies:

•               Language settings

•               Log-in information

In addition, we use cookies on our website that, for example, enable an analysis of users’ browsing behavior or are used for advertising purposes. The data collected in this manner is explained in Section VI of this Privacy Policy.

When a user visits our website, they are informed about the use of cookies for analytical and advertising purposes with a reference to this Privacy Policy, and their consent to the processing of the personal data used in this context is obtained via the aforementioned Cookie Consent Manager. In this case, you will also receive further information about the individual cookies, such as their name, purpose, and duration of storage.

2.       Purpose of Processing Personal Data

The purpose of using technically necessary cookies is to enable users to use websites in the first place. They can, for example, serve to maintain user sessions and prevent security threats. There are some features on our website that cannot be provided without the use of cookies. In these cases, it is essential that, for example, the browser is recognized even after a page change. This applies, for example, to the following applications:

•               Application of language settings

•               Log-in information

The user data collected by technically necessary cookies is not used to create user profiles.

Analytics and advertising cookies are used to optimize the quality of our website and improve the presentation of content. Analytics and advertising cookies allow us to determine how users interact with the website, enabling us to continuously optimize our offerings and make them more engaging for users.

3.       Legal basis for the processing of personal data

The legal basis for the processing of personal data using cookies for analytics and advertising purposes is Article 6(1)(a) of the GDPR, provided the user has given their consent.

The legal basis for the processing of personal data using technically necessary cookies within the meaning of Section 25(2) TDDDG is Article 6(1)(f) of the GDPR. In this regard, we have a legitimate interest in the use of necessary cookies to ensure the technically error-free and optimized provision of our services. It is not apparent that the interests, fundamental rights, and freedoms of the data subject outweigh this interest.

4.       Duration of Storage and Data Deletion

The duration of storage and data deletion depend on the type of cookie and how the user configures their browser settings. This is because cookies are stored on the user’s device and transmitted from there to our website. In this regard, it is generally possible to completely disable or restrict the acceptance of cookies. Stored cookies can also be deleted by the user at any time, which can even be done automatically. Session cookies are automatically deleted at the end of the website visit. Persistent cookies remain stored on the user’s device until the user deletes them or the browser deletes them automatically.

For details on the cookies used and their storage duration, please refer to our Cookie Consent Manager. Please note that you may not be able to use all features of our website to their full extent if you disable cookies for our website.

5.       Right to Object and Removal

As a user, you have the following options to object and remove cookies:

•               You may revoke your previously given consent to the use of analytics and advertising cookies at any time with future effect by notifying us or by changing your data protection or privacy settings within our Cookie Consent Manager.

•               You can also prevent the collection of data generated by the respective cookie and related to your use of our website (including your IP address), as well as the processing of this data, by downloading and installing the plugin available for your browser.

•               You can also manage advertising cookies using tools developed in many countries as part of self-regulatory programs, such as https://optout.aboutads.info/ (USA) or http://www.youronlinechoices.com/uk/your-ad-choices (EU).

6.       Transfer of Personal Data Outside the EU/EEA

If you give your consent to the use of functional cookies as well as cookies for analytical and advertising purposes, you also consent, in accordance with Art. 49(1)(a) GDPR, to your data being processed in a third country outside the EU/EEA. If you do not wish this, you may withhold your consent. Furthermore, you may revoke your consent at any time with future effect. The lawfulness of the data processing carried out prior to the revocation of your consent remains unaffected.

VI.      Use of Web Analytics via Google Analytics

1.       Description and scope of the processing of personal data

We use “Google Analytics 4” on our website, a web analytics service provided by Google Ireland Limited, located at Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). This makes it possible to associate data, sessions, and interactions across multiple devices with a pseudonymous user ID, thereby enabling the analysis of a user’s activities across devices.

Google uses cookies, i.e., data records that are stored on the user’s device and enable an analysis of the use of the website. The information generated by the cookie regarding the use of this website is generally processed first within the EU or the EEA. If IP anonymization is enabled on this website, the user’s IP address is truncated by Google within the EU or the EEA beforehand. Only in exceptional cases is the full IP address transmitted to a Google server in the U.S. and truncated there. On behalf of the operator of this website, Google will use this information to evaluate the use of the website, to compile reports on website activity, and to provide other services related to website and internet usage to the website operator.

The following user data, among others, is processed in this context:

•               User’s IP address

•               Date and time of access

•               Requesting domain

•               Device type, model, brand, screen resolutions

•               Operating system, versions, families

•               Browser, version, configuration, engines, plugins, language, language code

•               Location data

•               Pages per visit, number of visits, repeat visits

•               Visit duration, visit day

•               Entry pages, exit pages, page URL, page title

•               Search terms, downloads

•               Search engines, search terms, websites, social networks

•               Campaigns, campaign keywords

We have entered into a data processing agreement with Google for this purpose. The provider’s terms of use can be found at:www.google.com/analytics/terms/de.html  and the privacy policy at:www.google.de/intl/de/policies/privacy .

2.       Purpose of processing personal data

The purpose of using the web analytics service is to analyze the use of our website and to be able to regularly optimize the website based on the analyses. Using the statistics obtained, we can continuously improve our offering and make it more interesting for you as a user.

3.       Legal basis for the processing of personal data

The legal basis for the use of the web analytics service is Article 6(1)(a) of the GDPR, provided that the user has previously given their consent.

4.       Duration of storage and data deletion

According to Google, data sent by Google and linked to cookies, user identifiers (e.g., user ID), or advertising IDs is automatically deleted after 14 months at the latest. For details, please refer to our Cookie Consent Manager. According to Google, data whose retention period has expired is automatically deleted once a month. Please note that we have no influence over the duration of storage at Google.

5.       Right to Object and Right to Erasure

As a user, you have the following options to object and delete data:

•               You may revoke your previously given consent to the use of analytics and advertising cookies at any time with future effect by notifying us or by changing your data protection or privacy settings within our Cookie Consent Manager.

•               You can prevent the storage of cookies by adjusting your browser settings accordingly.

•               You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google, as well as the processing of this data by Google, by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout. 

•               Opt-out cookies prevent the future collection of your data when you visit this website.

This website uses Google Analytics with the “_anonymizeIp()” extension. This shortens IP addresses during processing, thereby preventing any personal identification. If the data collected about you is personally identifiable, this is immediately excluded, and the personal data is promptly deleted.

6.       Transfer of Personal Data Outside the EU/EEA

The processing of personal data by Google in the U.S. cannot be entirely ruled out. In cases where personal data is transferred to the U.S., Google relies on the conclusion of standard contractual clauses. Furthermore, Google LLC is certified under the EU-U.S. Data Privacy Framework by the U.S. Department of Commerce, meaning that the EU Commission’s adequacy decision also applies to data transfers directly to the U.S.

7.       Use of Google Tag Manager

We use the functions of Google Tag Manager on our website. Google Tag Manager is a solution that allows marketers to manage so-called website tags via a user interface. The “Tag Manager” tool itself, which implements the tags, is a service that can collect personal data by setting cookies. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If deactivation has been performed at the domain or cookie level, it remains in effect for all tracking tags implemented with Google Tag Manager. You can find more information about the provider and how Tag Manager works here: https://www.google.com/analytics/tag-manager/use-policy/.

Click here to opt out of tracking via Google Tag Manager: Enable/disable Google Tag Manager tracking.

VII.     Provision of a contact form and an email contact

1.       Description and scope of the processing of personal data

We provide a contact form on our website to enable you to contact us electronically. If and to the extent that users send us an inquiry or message via the contact form, the data entered in the form is transmitted to us and stored by us. This includes, among other things, your last name, first name, email address, and the nature of your inquiry.

At the time the message is sent, the following data is also stored:

•               The user’s IP address

•               Date and time of the message

Your consent is obtained for the processing of the data as part of the submission process, and reference is made to this privacy policy.

In addition, you may contact us via the email address provided in our contact information. In this case, the user’s personal data transmitted with the email, as well as the inquiry submitted, will be stored by us.

In this context, the data is generally not disclosed to third parties. The transmitted data is used exclusively for processing the contact request and handling your inquiry.

2.       Purpose of Processing Personal Data

We process the personal data from the input form solely to handle your contact request and address your inquiry. If you contact us via email, this also constitutes the necessary legitimate interest in processing the transmitted personal data.

The other personal data processed during the submission process serves to prevent misuse of the contact form and to ensure the security of our IT systems.

3.       Legal basis for the processing of personal data

The legal basis for the processing of personal data is Article 6(1)(a) of the GDPR, provided the user has given consent. If your inquiry is aimed at entering into a contract or is related to the performance of a contract, the legal basis for the processing of personal data is Article 6(1)(b) of the GDPR. The processing of personal data transmitted in the course of sending an email that does not aim to conclude a contract or is not related to the performance of a contract is based on our legitimate interests pursuant to Article 6(1)(f) of the GDPR. It is not apparent that the interests, fundamental rights, and freedoms of the data subject override this interest.

4.       Duration of Storage and Data Deletion

In principle, the transmitted data is deleted as soon as it is no longer necessary for the purpose for which it was collected. This applies to personal data from the contact form input field as well as data transmitted via email once the processing of the user’s inquiry has been completed or the conversation with the user has ended. It is assumed that the processing of the matter has been completed or the conversation has ended if the circumstances indicate that the relevant issue has been conclusively resolved for the user. An exception applies only if the email contact is aimed at concluding a contract or if the personal data is required for the performance of the contract. In these cases, a longer retention period may apply for contractual or legal reasons.

The personal data additionally collected during the sending process is generally deleted after a period of seven days at the latest.

5.       Right to Object and Right to Erasure

Users have the option at any time to revoke consent previously given for the processing of personal data. If the user contacts us via email, they may object to the storage and processing of their personal data at any time. To the extent that processing is based on the user’s consent, the conversation cannot be continued. In this case, all personal data stored in the course of the contact will also be deleted.

VIII.    Use of anti-spam protection for contact forms

1.       Description and scope of the processing of personal data

We use the “reCAPTCHA” service provided by Google Ireland Limited, located at Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), to protect our contact form. The service is designed to verify whether data entry via the contact form is performed by a human or by an automated program. To do this, the service analyzes the user’s behavior based on various characteristics. Google uses corresponding cookies for this purpose. Cookies are data records that the internet browser stores on the user’s device. However, both the use of cookies and the analysis only take place once the user has given their consent to the use of the feature. For this purpose, the following user data, among others, is processed:

•               the user’s IP address,

•               the user’s responses to the tasks presented.

reCAPTCHA evaluates this information through an analysis. The data collected during the analysis is forwarded to Google. For further information, please refer to the provider’s privacy policy and terms of service at the following links: https://policies.google.com/privacy?hl=de and https://policies.google.com/terms?hl=de.

2.       Purpose of processing personal data

The analysis serves to determine whether the respective data entry via the contact form is performed by a human or by an automated program. We use the service to protect our content and services from abusive automated spying. Furthermore, we have an interest in ensuring that our contact form is used exclusively for sending inquiries by humans and not for sending spam messages.

3.       Legal basis for the processing of personal data

The legal basis for the processing of personal data is Article 6(1)(a) of the GDPR, provided the user has given their consent.

4.       Data Retention Period and Data Deletion

According to Google, the cookies used by Google for reCAPTCHA generally expire after 30 days. However, there are also cookies with expiration dates ranging from 6 months to 2 years or longer. For details, please refer to our Cookie Consent Manager. Please note that we have no influence over the duration of storage by Google.

5.       Right to object and right to erasure

As a user, you have the following options to object and delete data:

•               You may revoke your previously given consent to use the service at any time with future effect by notifying us or by changing your data protection or privacy settings within our Cookie Consent Manager.

•               You can prevent the storage of cookies by adjusting your browser settings accordingly.

•               You can also prevent the collection of data generated by cookies and related to your use of the website (including your IP address) by Google, as well as the processing of this data by Google, by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout.

6.       Transfer of Personal Data Outside the EU/EEA

The processing of personal data by Google in the United States cannot be entirely ruled out. In cases where personal data is transferred to the United States, Google relies on the conclusion of standard contractual clauses. Furthermore, Google LLC is certified under the EU-US Data Privacy Framework by the U.S. Department of Commerce, meaning that the EU Commission’s adequacy decision also applies to data transfers directly to the United States.

IX.      Subscription and distribution of newsletters

1.       Description and scope of personal data processing

As part of the services offered on our website, users have the option to subscribe to a free newsletter. When you sign up to receive the newsletter, the data from the input form is transmitted to us. This includes data that allows us to verify that you consent to receiving the newsletter, such as your last name, first name, and email address.

In addition, the following data is collected during registration:

•               IP address of the accessing device

•               Date and time of registration

No further data is collected from you, or only on a voluntary basis. We use this data exclusively for sending the newsletter. As part of the newsletter registration process, your consent is obtained for the processing of the data, and reference is made to this privacy policy.

After signing up on our website, you will receive an email with a confirmation link that you can use to confirm your subscription to our newsletter (double opt-in procedure). This confirmation serves as proof that you, as the owner of the provided email address, consent to receiving the newsletter.

To send the newsletter, we use the “Brevo” service provided by Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, with whom we have entered into a data processing agreement. Data processing takes place exclusively within the European Union; no data is transferred to third countries. Further information on the provider’s data protection practices can be found here: https://www.brevo.com/de/legal/privacypolicy/

Based on your consent, we analyze user behavior within the newsletter we send through the provider. Each newsletter sent to you contains so-called tracking pixels, which enable us to evaluate delivery and read confirmations as well as information about the links you clicked in our newsletter with regard to open and click rates. This information is summarized in corresponding user profiles.

2.       Purpose of processing personal data

Both the collection of the email address and the collection of additional user information serve to ensure that the user is the owner of the provided email address and, consequently, consents to receiving the newsletter. Additionally, we require the user’s email address to deliver the newsletter.

The processing of other personal data collected during the registration process serves to prevent misuse of our services and of the email address provided.

The information collected through the analysis of open and click-through rates helps us improve the technical aspects and content of our newsletter. By creating individual user profiles, we can tailor our advertising to users’ interests and optimize our offerings on our website.

3.       Legal basis for the processing of personal data

The legal basis for processing data when signing up for the newsletter subscription, as well as for analyzing open and click rates and creating user profiles, is the user’s consent pursuant to Art. 6(1)(a) GDPR.

The use of the newsletter service provider and the transfer of personal data for the purpose of sending the newsletter are based on our legitimate interests in effective and user-friendly newsletter marketing pursuant to Art. 6(1)(f) GDPR. It is not apparent that the interests, fundamental rights, and freedoms of the data subject override this interest.

4.       Duration of Storage and Data Deletion

In principle, the data is deleted as soon as it is no longer necessary for the purpose for which it was collected. The user’s email address is therefore stored for as long as the newsletter subscription remains active and the user’s consent to the use of their data has not been revoked. This also applies to the storage of the analysis of open and click rates and the user profiles created on this basis.

Other personal data collected during the registration process is generally deleted after a period of seven days.

5.       Right to Object and Right to Erasure

The user may cancel the newsletter subscription at any time and revoke consent to the use of the data. Each newsletter contains a link allowing users to unsubscribe from the newsletter.

In this case, users may also revoke their consent to the storage of the personal data collected during the registration process. The lawfulness of the data processing carried out prior to the revocation of consent remains unaffected by the revocation.

It is not possible to revoke consent for newsletter tracking separately. In this case, the entire subscription must be canceled.

X.       Data Processing During Registration and/or Login to the Portal

1.       Description and scope of personal data processing

We offer our contractual partners the opportunity to register on the “https://app.planubo.com” portal via our website. The personal data required for registration is entered into a corresponding input form, transmitted to us, and stored. The following data is collected as part of the registration process:

•               Last name, first name

•               Email address

•               Address (optional)

The following data is also stored at the time of registration:

•               The IP address

•               Date and time of registration

2.       Purpose of processing personal data

Registration of the contractual partner is necessary for the performance of a contract with the contractual partner and for the implementation of pre-contractual measures.

3.       Legal basis for the processing of personal data

Since the registration serves to fulfill a contract to which the user is a party, and this is also necessary for the implementation of pre-contractual measures, the legal basis for the processing of the data is Article 6(1)(b) of the GDPR.

4.       Duration of storage and data deletion

In principle, the data is deleted as soon as it is no longer necessary for the purpose for which it was collected. This applies to the data collected during the registration process at when the data is no longer required for the performance and execution of the contract or pre-contractual measures. Even after the conclusion or termination of the contract, it may be necessary to store the contractual partner’s personal data in order to comply with contractual or legal obligations as well as for corresponding evidentiary purposes.

5.       Right to Object and Right to Erasure

Contractual partners have the option to cancel their registration and/or delete the user account they have created. The stored data can be modified at any time independently in the user account or by notifying us. In this case, the use of our services is no longer possible.

To the extent that the collected data is necessary for the performance of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible to the extent that no contractual or legal obligations or reasons for retention preclude such deletion.

XI.      Data Processing in Connection with the Provision of the SaaS Solution

1.       Description and scope of the processing of personal data

Each time a user accesses the SaaS solution, data and information are automatically collected from the respective computer system of the user’s accessing device. In particular, the following data is collected:

•               User’s IP address

•               Date and time of access

•               Website visited

•               Source/link from which the user accessed our website

•               Information about the browser type and version used

•               The user’s operating system

The aforementioned data is also stored in our system’s log files. However, this data is not stored together with other personal data of the user.

We use a hosting service provider for the collection and storage of this data, with whom we have entered into a data processing agreement. The provider is Hetzner Online GmbH. Further information about the provider and the privacy policy can be found here: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Privacy policy: https://www.hetzner.com/de/legal/privacy-policy/

2.       Purpose of processing personal data

The purpose of temporarily storing the IP address by our system is to deliver the SaaS solution to the user’s device. For this, it is essential that the user’s IP address remains stored for the duration of the session.

The purpose of storing data in log files is to ensure the proper functioning of our SaaS solution. We also use this data for technical optimization and to test the stability of the SaaS solution, as well as to ensure the security of our IT systems.

3.       Legal basis for the processing of personal data

The legal basis for the temporary storage of data and the storage of data in log files is Article 6(1)(f) of the GDPR. The aforementioned purposes also constitute our legitimate interest in data processing pursuant to Article 6(1)(f) of the GDPR. It is not apparent that the interests, fundamental rights, and freedoms of the data subject override this interest.

4.       Duration of Storage and Data Deletion

In principle, the data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of data collection for the provision of the SaaS solution, this occurs when the respective session ends. No further storage of the data takes place.

To the extent that data is stored in log files, this occurs after seven days at the latest. If storage extends beyond this period, the users’ IP addresses are deleted or truncated in such a way that it is no longer possible to identify the accessing device.

Under German law, we may retain documents relevant under tax and commercial law (in particular invoices) for up to ten years after the end of the calendar year in which they were created (in particular § 147 AO). Upon termination of the user relationship or deletion of a user account, we delete data that does not need to be retained; where there is a legal retention obligation, we limit storage to the extent necessary and remove or anonymize further personal information to the extent possible.

Data related to referrals is stored until the expiration of the benefit period specified in the applicable program terms and conditions, and subsequently to fulfill statutory retention obligations (in particular § 147 AO, 10 years).

5.       Right to Object and Right to Erasure

As is evident from the purpose of data processing, the collection of the aforementioned data is strictly necessary for the provision of the SaaS solution, and the storage of data in log files is strictly necessary for the operation of the SaaS solution. For this reason, the user has no right to object.

XII.     Data processing within the SaaS solution via consent log

1.     Description and scope of processing

Upon registration and upon any subsequent consent to amended Terms of Service, Privacy Policy, or Data Processing Agreement, we store a consent log within our SaaS solution. The data processed on the user’s side includes the account and user profile ID, email address, IP address, user agent, date and time of consent, language version used, consent context, URL, as well as the version ID and SHA-256 hash of the document version to which consent was given.

2.     Purpose of Processing

The processing serves to fulfill our obligations to provide evidence pursuant to Art. 7(1) GDPR (evidence of valid consent) and § 309 No. 12b BGB (preservation of evidence regarding contractual declarations within the scope of our Terms and Conditions) as well as to protect against manipulation.

3.     Legal basis

The legal basis is Art. 6(1)(b) GDPR (performance of contractual obligations), Art. 6(1)(c) GDPR (compliance with legal obligations), and Art. 6(1)(f) GDPR (legitimate interest in preserving evidence).

4.     Duration of Storage

The consent record will be stored for the duration of the contractual relationship and thereafter for the duration of the statutory retention periods, but for no longer than ten (10) years after the end of the contract.

5.     Right to Object and Right to Erasure

The collection and storage of data are required by law for evidentiary purposes. Consequently, the user has no right to object.

XIII.    Online Presence on Social Networks and Use of Social Media Buttons

1.       Description and Scope of Personal Data Processing

We maintain online presences within social networks operated by social media providers. In this context, our website uses both simple links and social media buttons that do not establish a direct connection to the respective network when the page is loaded. Thus, the “Like” and “Share” buttons used here differ from the widely used social media plugins, which transmit data to the social networks as soon as the page loads, without the button needing to be clicked . The version of the so-called Shariff button that we use only establishes direct contact between the social network and the user once the latter actively clicks on the respective social media button. In this way, the integrated Shariff button prevents users from leaving a digital trail on every page they visit and thereby prevents personal data from being transmitted directly to the respective social network of the social media provider. When visiting the respective social network, the privacy policy and terms of use of the respective social media provider apply. For further information, please refer to our Social Media Privacy Policy.

2.       Purpose of processing personal data

We maintain online presences within social networks operated by social media providers in order to communicate with customers, prospects, and users active there and to inform them about our services. The integrated “Like” and “Share” buttons are used to enable a faster and easier response from users and thus a faster and more effective initiation of communication with us.

3.       Legal basis for the processing of personal data

The legal basis for processing is therefore Article 6(1)(a) of the GDPR, provided the user has given consent. Furthermore, we have a legitimate interest in maintaining an online presence on social media pursuant to Article 6(1)(f) of the GDPR. It is not apparent that the interests, fundamental rights, and freedoms of the data subject override this interest.

4.       Disclosure of Personal Data

We use social media buttons for the social networks listed below. A connection to the social media provider is only established when the user actively clicks on the social media button of the social network.

a)              “Instagram”: Instagram’s social media buttons are typically associated with an Instagram logo. The social media provider is Meta Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The social network’s privacy policy can be found at: https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect.

b)             “Facebook”: Facebook’s social media buttons are usually associated with a Facebook logo. The social media provider is Meta Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The social network’s privacy policy can be found at: https://www.facebook.com/about/privacy/.

c)              “X”: X’s social media buttons are typically associated with an X logo. The social media provider is X Internet Unlimited Company, based in Ireland. The social network’s privacy policy can be found at: https://x.com/de/privacy

d)             “LinkedIn”: LinkedIn’s social media buttons are usually marked with a LinkedIn logo. The social media provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The social network’s privacy policy can be found at: https://www.linkedin.com/legal/privacy-policy.

5.       Right to Object and Right to Erasure

Users have the option at any time to revoke consent previously granted for the processing of personal data. Revoking consent does not affect the lawfulness of processing carried out on the basis of the consent prior to revocation. To the extent that processing is based on the user’s consent, communication with the user via the social media provider’s features cannot be continued.

6.       Transfer of Personal Data Outside the EU/EEA

The processing of personal data by providers in the U.S. cannot be entirely ruled out. In cases where personal data is transferred to the U.S., the providers rely, on the one hand, on the conclusion of standard contractual clauses and, on the other hand, on certification under the EU-U.S. Data Privacy Framework with the U.S. Department of Commerce, so that the EU Commission’s adequacy decision also applies to data transfers directly to the U.S. Specifically, this involves the following data recipients and the respective transfer mechanisms applied:

·       Facebook and Instagram: Meta Platforms Ltd. transfers personal data to Meta Platforms, Inc., 1 Meta Way, Menlo Park, CA 94025, USA, based on standard contractual clauses approved by the European Commission (https://www.facebook.com/legal/EU_data_transfer_addendum). In addition, Meta Platforms, Inc. is certified under the so-called EU-US Data Privacy Framework.

·       LinkedIn: LinkedIn transfers data to LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA 94085, USA, based on standard contractual clauses approved by the European Commission (https://de.linkedin.com/legal/l/dpa). Furthermore, LinkedIn Corporation is certified under the EU-US Data Privacy Framework.

·       X: X transfers data based on standard contractual clauses approved by the European Commission (https://help.x.com/de/rules-and-policies/global-operations-and-data-transfer) to X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. X Corp. is also certified under the EU-US Data Privacy Framework.

XIV.    Embedding of YouTube Videos

1.       Description and scope of the processing of personal data

We have embedded videos on certain pages of our website that are made available via the YouTube platform. The provider is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”). This allows us to present videos directly on our website. However, we use the enhanced privacy mode for this purpose. When you visit a page that has an embedded YouTube video, a grayed-out area appears first. The video can only be played after you have given us your consent to display the YouTube video. At a minimum, your IP address is stored during this process.

For more information on Google’s data processing, see here: https://policies.google.com/privacy?hl=de&gl=de. This privacy policy applies to all services offered by Google Ireland Limited and its affiliates—including YouTube.

2.       Purpose of processing personal data

We use YouTube to present our offerings and services to you in an optimized and appealing way. We want to provide you with the best possible user experience on our website, which includes our embedded videos that may contain content that is helpful and interesting to you.

3.       Legal basis for the processing of personal data

The legal basis for processing the data is Article 6(1)(a) of the GDPR, provided the user has given their consent.

4.       Duration of storage and data deletion

In general, data is deleted as soon as it is no longer necessary for the purpose for which it was collected. For details, please refer to our Cookie Consent Manager. Please note that we have no influence over the duration of storage on YouTube.

5.       Right to object and right to erasure

Users have the option at any time to withdraw consent previously given for the processing of personal data. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to withdrawal.

6.       Transfer of personal data outside the EU/EEA

The processing of personal data by YouTube in the United States cannot be entirely ruled out. In cases where personal data is transferred to Google LLC, located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, YouTube relies on the conclusion of standard contractual clauses. Google LLC is also certified under the EU-US Data Privacy Framework.

XV.     Use of fonts via direct integration from third-party providers

1.       Description and scope of the processing of personal data

On our website, we use so-called web fonts provided by the following providers to ensure a consistent font display:

•               Google Ireland Limited, located at Gordon House, Barrow Street, Dublin 4, Ireland (“Google”)

•               Fonticons, Inc., located at 307 S. Main St. Suite 202, Bentonville, AR 72712 (“FontAwesome”)

The required fonts are loaded via a direct connection to the provider’s respective server and then stored in the user’s browser cache to ensure that text and fonts are displayed correctly. If the browser being used does not support web fonts, a standard font from the user’s device will be used.

No cookies are set on the user’s device when visiting our website. A connection to the provider’s servers is established only after the user has consented to the transfer of their data.

Further information on Google Web Fonts can be found here: https://fonts.google.com.  For information on data protection, please refer to the following information from the provider: https://developers.google.com/fonts/faq/privacy?hl=de. 

For more information about FontAwesome web fonts, please visit: https://fontawesome.com/tos. For information regarding data protection, please refer to the provider’s information below: https://fontawesome.com/privacy.

2.       Purpose of processing personal data

Web fonts are a freely available library containing a wide variety of fonts for use on websites. By using web fonts, our website can be presented to the user in an appealing and recognizable design, as well as in a consistent manner and quality across all devices. This allows us to technically ensure that all users of our website have a consistent and pleasant user experience.

3.       Legal basis for the processing of personal data

The legal basis for processing the data is Article 6(1)(a) of the GDPR, provided the user has given their consent.

4.       Duration of storage and data deletion

In general, data is deleted as soon as it is no longer necessary for the purpose for which it was collected. For details, please refer to our Cookie Consent Manager. Please note that we have no influence over the duration of storage with third-party providers.

5.       Right to object and right to erasure

Users have the option at any time to revoke consent previously given for the processing of personal data. The revocation of consent does not affect the lawfulness of processing carried out on the basis of the consent prior to the revocation.

6.       Transfer of personal data outside the EU/EEA

The processing of personal data by Google and FontAwesome in the United States cannot be entirely ruled out. For the exceptional cases in which personal data is transferred to the U.S., Google agrees to standard contractual clauses as part of the contractual arrangements by default. Furthermore, both Google LLC and Fonticons, Inc. are certified under the EU-U.S. Data Privacy Framework by the U.S. Department of Commerce, so that the EU Commission’s adequacy decision also applies to data transfers directly to the U.S.

XVI.    Use of the Google Ads online advertising program (including Google Conversion Tracking)

1.       Description and scope of the processing of personal data

We use “Google Ads,” an online advertising program provided by Google Ireland Ltd., located at Gordon House, Barrow Street, Dublin 4, Ireland (“Google Ads”), on our website. This solution allows us to advertise our products and services in a targeted manner by presenting our ads to users when they are searching online for the services we offer. To this end, we may use various advertising campaigns via Google Ads.

As part of our advertising activities through Google Ads, we use what is known as conversion tracking on our website. When you click on an ad placed by Google, a cookie for conversion tracking is set on your device. Cookies are data records that the internet browser stores on the user’s device. As soon as a visitor accesses a specific (sub)page of our website and performs a specific action, Google recognizes the set cookie and records the action as a so-called conversion. As long as the cookie remains active, it can be used to determine whether the user clicked on an ad placed by Google and was thereby redirected to the respective (sub)page of our website.

If you are registered with a Google service, Google can associate the visit with your account. Even if you are not registered with Google or have not logged into your Google account, there is a possibility that Google will process your IP address.

We ourselves do not collect or process any personal data in connection with these advertising measures. We receive only statistical reports from Google. This allows us, for example, to determine the total number of users who have clicked on our ads and thereby learn which of the advertising measures used are particularly effective. We do not receive any further data; in particular, we cannot identify users based on these statistical reports.

We have entered into a data processing agreement with the provider for this purpose. Further information on Google Ads and Google Conversion Tracking can be found in Google’s Privacy Policy at: https://www.google.de/policies/privacy/.  Information on data processing services for advertising can be found at: https://privacy.google.com/businesses/adsservices.  

2.       Purpose of processing personal data

We use Google Ads to draw attention to our advertising offers on other websites as well. Our goal is to ensure that our advertising measures reach those interested users who are actually interested in our advertising offers. Through Google Ads, we also receive statistics on the total number of users who clicked on our ad and were thus redirected to a (sub)page of our website tagged with the conversion tracking tag. With the help of this tracking, we can measure the success of individual advertising campaigns and tailor our advertising offers to the interests and needs of our users.

3.       Legal basis for the processing of personal data

The legal basis for data processing, provided the user has given consent, is Article 6(1)(a) of the GDPR.

4.       Duration of Storage and Data Deletion

According to Google, the cookies used by Google for advertising purposes within the scope of Google Ads generally expire after 30 days. However, there are also cookies used in conjunction with Google Analytics that have an expiration date of 3 months. For details, please refer to our Cookie Consent Manager. Please note that we have no influence over the duration of storage at Google.

5.       Right to Object and Opt-Out

Users can choose not to participate in Google Ads conversion tracking. There are several ways to prevent participation:

•               You can revoke your previously given consent to the use of advertising cookies at any time with future effect by changing your data protection or privacy settings within our Cookie Consent Manager.

•               You can deactivate the conversion tracking cookie yourself via your device’s browser:www.google.de/settings/ads . In this case, you will not be included in the tracking tool’s statistical data collection.

•               You have the option at any time to change the cookie settings in your device’s browser, in particular by generally blocking third-party cookies that contain third-party ads.

•               You can review and, if necessary, disable interest-based ads from providers participating in the “About Ads” self-regulatory campaign via the following link: https://youradchoices.com. 

•               You can use the plugin provided for your browser, which allows for the permanent deactivation of cookies. However, please note that in this case, you may not be able to fully utilize all features of our website.

6.       Transfer of Personal Data Outside the EU/EEA

The processing of personal data by Google in the U.S. cannot be entirely ruled out. For the exceptional cases in which personal data is transferred to the U.S., Google agrees to standard contractual clauses as part of the contractual arrangements by default. Furthermore, Google LLC is certified under the EU-U.S. Data Privacy Framework by the U.S. Department of Commerce, meaning that the EU Commission’s adequacy decision also applies to data transfers directly to the U.S.

XVII.   Rights of the data subject

To the extent that your personal data is processed, you are a data subject within the meaning of the GDPR. Within the framework of the statutory provisions, you are entitled to the following rights vis-à-vis the controller:

1.       Right of access under Art. 15 GDPR

Within the framework of the statutory provisions, you have the right at any time to obtain information free of charge about your personal data stored by us. In this regard, you may also request confirmation as to whether your personal data is being processed by us.

2.       Right to rectification under Article 16 of the GDPR

Under the provisions of the law, you have the right to have your personal data rectified and/or completed if the personal data we process is inaccurate or incomplete.

3.       Right to erasure under Article 17 of the GDPR

Within the scope of the legal provisions, you may request that we erase your personal data without undue delay, provided that

•               the purposes for which your personal data was collected or processed no longer apply;

•               you withdraw your consent on which the processing was based pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, and there is no other legal basis for the processing;

•               you object to the processing pursuant to Article 21 of the GDPR;

•               your personal data has been processed unlawfully;

•               The erasure of your personal data is necessary to comply with a legal obligation under Union law or the law of the Member States to which we, as the controller, are subject;

•               Your personal data was collected in relation to information society services offered pursuant to Article 8(1) of the GDPR.

The right to erasure does not apply if processing is still necessary for the following reasons, among others:

•               to comply with a legal obligation that requires processing under Union or Member State law to which we, as the controller, are subject; or

•               to assert, exercise, or defend legal claims.

4.       Right to restriction of processing under Article 18 of the GDPR

You have the right to request the restriction of the processing of your personal data in the following cases:

•               if you contest the accuracy of your personal data stored by us, you may request the restriction of the processing of your personal data for the duration of the verification;

•               if the processing is unlawful, you may request the restriction of processing instead of the erasure of your personal data;

•               if we no longer need the personal data for the purposes of processing, but you need it to assert, exercise, or defend legal claims, or

•               if you have objected to the processing pursuant to Art. 21(1) GDPR and it has not yet been determined whose legitimate interests prevail.

To the extent that the processing of your personal data has been restricted, such data may, with the exception of its storage, be processed only with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or of a Member State.

5.       Right to be informed under Article 19 of the GDPR

If you have exercised your right to rectification, erasure, or restriction of processing against us, we are obligated to notify all recipients to whom your personal data has been disclosed of such rectification, erasure, or restriction of processing. This does not apply if it proves impossible or involves disproportionate effort. Within the scope of the statutory provisions, you may request to be informed of these recipients.

6.       Right to data portability under Art. 20 GDPR

In accordance with applicable law, you have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, as well as to request the direct transfer of this data to another controller, provided that

•               the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, or on a contract pursuant to Art. 6(1)(b) GDPR, and

•               the processing is carried out using automated means.

The direct transfer of your personal data from one controller to another controller may only take place to the extent that this is technically feasible.

7.       Right to object under Article 21 of the GDPR

To the extent that the processing of your personal data is based on Article 6(1)(e) or (f) of the GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

To the extent that we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes. If you object to processing for direct marketing purposes, your personal data will no longer be used for these purposes.

8.       Right to Withdraw Consent

In the event that you have given us your prior consent for a data processing operation, you have the right to withdraw your consent under data protection law at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to withdrawal.

9.       Automated decision-making in individual cases, including profiling, pursuant to Article 22 of the GDPR

We do not use exclusively automated processing—including profiling—to make decisions that have legal effects on you or could similarly significantly affect you.

10.     Right to lodge a complaint with a supervisory authority pursuant to Article 77 of the GDPR

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

The supervisory authority to which the complaint was submitted shall inform the complainant of the status and the outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.

Status of the Privacy Policy:   May 19, 2026