Data protection

---

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also briefly referred to as "data") that we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and particularly on our websites, in mobile applications, as well as within external online presences, such as our social media profiles. (hereinafter collectively referred to as the ‘Online Offer’).

The terms used are not gender-specific.

Status: October 2, 2024

Table of contents

• Preamble
• Responsible
• Overview of Processing Activities
• Relevant Legal Bases
• Security Measures
• Transmission of Personal Data
• General Information on Data Storage and Deletion
• Rights of the Data Subjects
• Business Services
• Payment Procedures
• Provision of Online Services and Web Hosting
• Use of Cookies
• Contact and Inquiry Management
• Web Analysis, Monitoring, and Optimization
• Plug-ins and Embedded Functions and Content

Responsible

Stefan Kastner
Alte Poststr. 5
94036 Passau
Germany

Email address: info@k-data.org

Overview of processing activities

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the affected individuals.

Types of processed data

• Inventory data.
• Payment data.
• Contact details.
• Content data.
• Contract data.
• Usage data.
• Meta, communication, and procedural data.
• Protocol data.

Categories of affected individuals

• Service recipient and client.
• Interested parties.
• Communication partner.
• User.
• Business and contractual partners.

Purposes of processing

• Provision of contractual services and fulfillment of contractual obligations.
• Communication.
• Safety measures.
• Range measurement.
• Office and organizational procedures.
• Organizational and administrative procedures.
• Feedback.
• Profile with user-related information.
• Provision of our online services and user-friendliness.
• Information technology infrastructure.
• Business processes and business management procedures.

Relevant legal bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the regulations of the GDPR, national data protection provisions may apply in your or our country of residence or seat. Should more specific legal bases be relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given their consent to the processing of their personal data for a specific purpose or multiple specific purposes.
  
• Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - The processing is necessary for the fulfillment of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject.
• Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) - The processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - the processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject, which require the protection of personal data, do not override those interests.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection in Germany apply. This particularly includes the law for the protection against the misuse of personal data in data processing. (German Federal Data Protection Act - BDSG). The BDSG contains, in particular, special regulations on the right to access, the right to deletion, the right to object, the processing of special categories of personal data, the processing for other purposes, and the transmission as well as automated decision-making in individual cases, including profiling. Furthermore, state data protection laws of the individual federal states may come into application.

Note on the applicability of the GDPR and Swiss DSG: These data protection notices serve both to provide information according to the Swiss DSG and the General Data Protection Regulation. (GDPR). For this reason, we kindly ask you to note that the terms of the GDPR are used due to their broader spatial application and comprehensibility. In particular, instead of the terms "processing" of "personal data," "overriding interest," and "particularly sensitive personal data" used in the Swiss DSG, the terms "processing" of "personal data," "legitimate interest," and "special categories of data" used in the GDPR are employed. The legal meaning of the terms, however, will continue to be determined according to the Swiss DSG within the framework of its applicability.

Safety measures

We take appropriate technical and organizational measures in accordance with legal requirements, considering the state of the art, implementation costs, the nature, scope, circumstances, and purposes of the processing, as well as the varying probabilities and extent of the threat to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.

The measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access related to it, input, transmission, ensuring availability, and their separation. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data, and responses to data breaches. Furthermore, we take into account the protection of personal data already during the development or selection of hardware, software, and procedures in accordance with the principle of data protection, through technical design and data protection-friendly default settings.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect users' data transmitted through our online services from unauthorized access, we rely on TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator for users that their data is being transmitted securely and encrypted.

Transmission of personal data

In the course of our processing of personal data, it may happen that this data is transmitted to other entities, companies, legally independent organizational units, or individuals, or disclosed to them. Recipients of this data may include, for example, service providers tasked with IT duties or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

Data transmission within the organization: We can transmit personal data to other departments or units within our organization or grant them access to it. If the data transfer is for administrative purposes, it is based on our legitimate business and economic interests or is carried out if it is necessary to fulfill our contractual obligations or if there is consent from the affected parties or a legal permit.

General information on data storage and deletion

We delete personal data that we process in accordance with legal regulations as soon as the underlying consents are revoked or no further legal grounds for processing exist. This concerns cases where the original purpose of processing no longer applies or the data is no longer needed. Exceptions to this regulation exist when legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Our privacy policy contains additional information on the storage and deletion of data that specifically applies to certain processing procedures.

In the case of multiple statements regarding the retention period or deletion deadlines of a date, the longest period always applies.

If a deadline does not explicitly begin on a specific date and is at least one year long, it automatically starts at the end of the calendar year in which the event triggering the deadline occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the deadline is the moment the termination becomes effective or the relationship otherwise ends.

Data that is no longer used for its original purpose but is retained due to legal requirements or other reasons will only be processed for the reasons that justify its retention.

Further information on processing processes, procedures, and services:

• Storage and Deletion of Data: The following general deadlines apply to storage and archiving under German law:
  
  • 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and the instructions and other organizational documents necessary for their understanding, booking vouchers, and invoices (§ 147 para. 3 in conjunction with para. 1 no. 1, 4, and 4a AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 and 4, para. 4 HGB).
    
  • 6 years - Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents as far as they are relevant for taxation, e.g., hourly wage slips, operating accounting sheets, calculation documents, price labels, but also payroll documents, as far as they are not already booking vouchers, and cash register strips (§ 147 para. 3 in conjunction with para. 1 no. 2, 3, 5 AO, § 257 para. 1 no. 2 and 3, para. 4 HGB).
    
  • 3 years - Data required to consider potential warranty and compensation claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experiences and common industry practices, will be stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).
    

Rights of the affected persons

Rights of the data subjects under the GDPR: As data subjects, you have various rights under the GDPR, which are particularly derived from Articles 15 to 21 of the GDPR:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, which is carried out pursuant to Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these regulations. If your personal data is being processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for such marketing purposes; this also applies to profiling, as far as it is related to such direct advertising.
  
• Right of withdrawal for consents: You have the right to revoke granted consents at any time.
• Right of access: You have the right to request confirmation as to whether personal data concerning you are being processed, and to obtain access to those data and further information and a copy of the data in accordance with legal requirements.
  
• Right to Rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the rectification of inaccurate data concerning you.
  
• Right to deletion and restriction of processing: You have the right, in accordance with legal requirements, to request that your data be deleted immediately, or alternatively, to request a restriction of the processing of your data in accordance with legal requirements.
  
• Right to data portability: You have the right to receive data concerning you that you have provided to us, in accordance with legal requirements, in a structured, commonly used, and machine-readable format, or to request its transfer to another controller.
  
• Complaint to the supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of your personal data violates the provisions of the GDPR.
  

Business services

We process data of our contractual and business partners, such as customers and prospects (collectively referred to as "contractual partners"), within the framework of contractual and comparable legal relationships as well as related measures and with regard to communication with the contractual partners (or pre-contractually), for example, to respond to inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, the obligations to provide the agreed services, any update obligations, and remedies for warranty and other performance disruptions. Furthermore, we use the data to protect our rights and for the purposes of administrative tasks associated with these obligations as well as for corporate organization. In addition, we process the data based on our legitimate interests in both proper and businesslike management as well as security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information, and rights (e.g., for the involvement of telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Within the framework of applicable law, we only pass on the data of contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. The contracting parties will be informed about other forms of processing, such as for marketing purposes, within the framework of this privacy policy.

Which data is required for the aforementioned purposes, we inform the contractual partners before or during the data collection, for example, in online forms, through special markings (e.g., colors) or symbols (e.g., asterisks or similar), or personally.

We delete the data after the expiration of statutory warranty and comparable obligations, i.e., generally after four years, unless the data is stored in a customer account, for example, as long as it must be retained for legal archiving purposes (usually ten years for tax purposes). Data disclosed to us by the contracting party in the context of an assignment will be deleted in accordance with the guidelines and generally after the end of the assignment.

• Processed data types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact details (e.g., postal and email addresses or phone numbers); Contract data (e.g., subject matter of the contract, duration, customer category); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g. IP addresses, time data, identification numbers, persons involved).
  
• Affected persons: service recipients and clients; Interested parties. Business and contractual partners.
  
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Safety measures; Communication; Office and organizational procedures; Organizational and administrative procedures. Business processes and business management procedures.
  
• Storage and Deletion: Deletion according to the information provided in the section "General Information on Data Storage and Deletion."
  
• Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  

Further information on processing processes, procedures, and services:

• Online shop, order forms, e-commerce, and delivery: We process our customers' data to enable them to select, purchase, or order the chosen products, goods, and associated services, as well as their payment and delivery, or execution. If necessary for the execution of an order, we use service providers, particularly postal, freight, and shipping companies, to carry out the delivery or execution to our customers. For the processing of payment transactions, we make use of the services of banks and payment service providers. The required information is marked as such within the framework of the order or comparable acquisition process and includes the information needed for delivery, provision, and billing, as well as contact information to be able to consult if necessary; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  

Payment methods

In the context of contractual and other legal relationships, due to legal obligations, or otherwise based on our legitimate interests, we offer the affected individuals efficient and secure payment options and use additional service providers alongside banks and credit institutions. (collectively ‘Payment Service Provider’).

The data processed by payment service providers includes inventory data, such as name and address, bank data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract, amount, and recipient-related information. The information is required to carry out the transactions. The entered data, however, is only processed by the payment service providers and stored with them. That means we do not receive account or credit card-related information, but only information confirming or denying the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit bureaus. This transmission is intended for identity and credit checks. For this, we refer to the terms and conditions and the privacy notices of the payment service providers.

For payment transactions, the terms and conditions and the privacy notices of the respective payment service providers apply, which can be accessed within the respective websites or transaction applications. We refer to this as well for further information and the assertion of withdrawal, information, and other rights of the data subjects.

• Processed data types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contract data (e.g., subject matter, duration, customer category); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g. IP addresses, time data, identification numbers, persons involved).
• Affected persons: service recipients and clients; Business and contractual partners. Interested parties.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations. Business processes and business management procedures.
• Storage and Deletion: Deletion according to the information provided in the section "General Information on Data Storage and Deletion."
  
• Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  

Further information on processing processes, procedures, and services:

• PayPal: Payment services (technical integration of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.paypal.com/de. Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
  
• Amazon Payments: payment services (technical connection of online payment methods); service provider: Amazon Payments Europe S.C.A. 38 avenue J.F. Kennedy, L-1855 Luxembourg; Legal basis: contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Clause 1 Letter b) GDPR); Website: https://pay.amazon.de/ Privacy Policy: https://pay.amazon.de/help/201212490
  

Provision of the online service and web hosting

We process user data to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

• Processed data types: usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties); Protocol data (e.g. log files relating to logins or the retrieval of data or access times). Content data (e.g., textual or pictorial messages and posts, as well as the information related to them, such as authorship or creation time).
  
• Affected individuals: users (e.g. website visitors, users of online services).
  
• Purposes of processing: Provision of our online services and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). Safety measures.
  
• Storage and Deletion: Deletion according to the information provided in the section "General Information on Data Storage and Deletion."
  
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  

Further information on processing processes, procedures, and services: Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Provision of online services on rented storage space: For the provision of our online services, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also called "web host"). Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
• Collection of access data and log files: Access to our online services is recorded in the form of so-called "server log files." The server log files may include the address and name of the retrieved websites and files, the date and time of the retrieval, the amount of data transferred, a notification of successful retrieval, the browser type and version, the user's operating system, the referrer URL (the previously visited page), and typically the IP addresses and the requesting provider. The server log files can be used for security purposes, for example, to prevent server overload (especially in the case of abusive attacks, so-called DDoS attacks), and also to ensure the server's load and stability; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of data: Logfile information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidentiary purposes is exempt from deletion until the respective incident is fully resolved.
• Email sending and hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, the addresses of the recipients and senders, as well as other information regarding the email transmission (e.g., the involved providers) and the contents of the respective emails, are processed. The aforementioned data may also be processed for the purpose of detecting SPAM. We kindly ask you to note that emails sent over the internet are generally not encrypted. As a rule, emails are encrypted during transmission, but (unless an end-to-end encryption method is used) not on the servers from which they are sent and received. We cannot therefore take any responsibility for the transmission path of the emails between the sender and the reception on our server; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Use of cookies

Cookies are small text files or other storage records that store information on and read information from end devices. For example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the accessed content, or the used features of an online service. Cookies can also be used for various purposes, such as ensuring the functionality, security, and comfort of online services, as well as creating analyses of visitor traffic.

Consent Information: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users unless it is not required by law. Permission is particularly not necessary if storing and retrieving information, including cookies, is absolutely required to provide users with a telemedia service they have explicitly requested (i.e., our online offering). The revocable consent is clearly communicated to them and contains information about the respective cookie usage.

Information on data protection legal bases: The legal basis on which we process users' personal data using cookies depends on whether we ask for their consent. If the users accept, the legal basis for the use of their data is the declared consent. Otherwise, the data collected using cookies will be processed based on our legitimate interests (e.g., for the economic operation of our online services and the improvement of their usability) or, if this is done in the context of fulfilling our contractual obligations, when the use of cookies is necessary to meet our contractual obligations. For what purposes the cookies are used by us, we will clarify in the course of this privacy policy or within the framework of our consent and processing processes.

Storage duration: With regard to the storage duration, the following types of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their device (e.g., browser or mobile application).
• Permanent Cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be saved and preferred content can be displayed directly when the user visits a website again. Similarly, the user data collected using cookies can be used for reach measurement. If we do not provide users with explicit information about the type and duration of cookies (e.g., as part of obtaining consent), they should assume that these are permanent and that the storage duration can be up to two years.
  

General information on revocation and objection (opt-out): Users can revoke their given consents at any time and also declare an objection to the processing in accordance with legal requirements, including through their browser's privacy settings.

• Processed data types: meta, communication, and procedural data (e.g. IP addresses, time data, identification numbers, persons involved).
  
• Data subjects: Users (e.g. website visitors, users of online services).
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing processes, procedures, and services:

• Processing of cookie data based on consent: We use a consent management solution that obtains user consent for the use of cookies or for the procedures and providers mentioned within the consent management solution. This procedure serves to obtain, log, manage, and revoke consents, particularly with regard to the use of cookies and similar technologies that are used to store, read, and process information on the users' end devices. As part of this procedure, user consents for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management procedure, are obtained. Users also have the option to manage and revoke their consents. The consent declarations are stored to avoid repeated inquiries and to be able to provide proof of consent in accordance with legal requirements. The storage is done server-side and/or in a cookie (so-called opt-in cookie) or using comparable technologies to associate the consent with a specific user or their device. If there are no specific details about the providers of consent management services, the following general guidelines apply: The duration of storing the consent is up to two years. A pseudonymous user identifier is created, which, along with the time of consent, the details of the scope of consent (e.g., relevant categories of cookies and/or service providers), as well as information about the browser, the system, and the device used, is stored. Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, phone, or via social media) and within the framework of existing user and business relationships, the information of the inquiring individuals will be processed as far as necessary to respond to the inquiries and any requested actions.

• Processed data types: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and contributions as well as the information relating to them, such as information on authorship or time of creation); Usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved).
• Affected persons: communication partners.
  
• Purposes of processing: Communication; Organizational and administrative procedures; Retroalimentación (e.g. collecting feedback via online form). Provision of our online services and user-friendliness.
  
• Storage and Deletion: Deletion according to the information provided in the section "General Information on Data Storage and Deletion."
  
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  

Further information on processing processes, procedures, and services:

• Contact form: When contacting us via our contact form, email, or other communication methods, we process the personal data you provide to respond to and address your respective inquiry. This usually includes information such as name, contact details, and any other information that may be provided to us and is necessary for proper processing. We use this data exclusively for the stated purpose of contacting and communicating; Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  

Web analysis, monitoring, and optimization

Web analytics (also referred to as "reach measurement") is used to analyze the visitor flows of our online offerings and can include behavior, interests, or demographic information about the visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, determine when our online offerings or their functions or content are most frequently used, or invite reuse. It is also possible for us to understand which areas need optimization.

In addition to web analytics, we can also use testing methods to test and optimize different versions of our online offerings or their components.

Unless otherwise specified below, profiles, i.e., data aggregated from a usage process, can be created for these purposes, and information can be stored in a browser or on a device and then retrieved. The collected information includes, in particular, visited websites and the elements used there, as well as technical details such as the browser used, the computer system used, and information on usage times. Provided that users have consented to the collection of their location data by us or by the providers of the services we use, the processing of location data is also possible.

In addition, the users' IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by truncating the IP address) to protect users. Generally, no clear data of users (such as email addresses or names) is stored within the framework of web analysis, A/B testing, and optimization, but rather pseudonyms. That means we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures.

Notes on legal bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data will be processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

• Processed data types: Usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles). Provision of our online services and user-friendliness.
• Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’. Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years).
• Security measures: IP masking (pseudonymisation of the IP address).
• Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

• Google Analytics: We use Google Analytics to measure and analyze the use of our online services based on a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It is used to assign analysis information to an end device in order to identify which content users have accessed during one or various usage sessions, which search terms they have used, re-accessed, or interacted with our online offerings. Likewise, the time of use and its duration are stored, as well as the sources of users who refer to our online offerings and technical aspects of their devices and browsers.
  In this process, pseudonymous profiles of users are created using information from the use of various devices, with the possibility of using cookies. Google Analytics does not log and store individual IP addresses for EU users. Analytics, however, provides rough geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). In EU data traffic, the IP address data is used exclusively for deriving geolocation data before being immediately deleted. They are not logged, are not accessible, and are not used for any further purposes. When Google Analytics collects measurement data, all IP queries are conducted on EU-based servers before the traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/en/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for Third Country Transfers: Data Privacy Framework (DPF); Right to object (Opt-Out): Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Settings for displaying ads: https://myadcenter.google.com/personalizationoff. More information: https://business.safety.google/adsservices/ (Types of processing and data processed).
• Google Tag Manager: We use Google Tag Manager, a software from Google that allows us to manage so-called website tags centrally through a user interface. Tags are small code elements on our website that are used to capture and analyze visitor activities. This technology helps us improve our website and the content offered on it. The Google Tag Manager itself does not create user profiles, does not store cookies with user profiles, and does not conduct independent analyses. His function is limited to simplifying and making more efficient the integration and management of tools and services that we use on our website. Nevertheless, when using the Google Tag Manager, the users' IP addresses are transmitted to Google, which is necessary for technical reasons to implement the services we use. Cookies can also be set in the process. However, this data processing only takes place if services are integrated via the Tag Manager. For more detailed information about these services and their data processing, we refer to the subsequent sections of this privacy policy; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Sitio web: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement:
  https://business.safety.google/adsprocessorterms. Basis for Third Country Transfers: Data Privacy Framework (DPF).

Plug-ins and embedded functions and content

We integrate functional and content elements into our online offering, which are sourced from the servers of their respective providers (hereinafter referred to as "third-party providers"). This can include, for example, graphics, videos, or city maps (hereinafter uniformly referred to as "content").

The integration always assumes that the third-party providers of this content process the users' IP addresses, as they would not be able to send the content to their browsers without the IP address. The IP address is therefore required for the display of this content or functions. We strive to use only such content whose respective providers use the IP address solely for the delivery of the content. Third parties can also use so-called pixel tags (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. Through the "pixel tags," information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information can also be stored in cookies on the user's device and may include technical details about the browser and operating system, referring websites, visit times, as well as other information about the use of our online services, but can also be linked with such information from other sources.

Notes on legal bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data will be processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

• Processed data types: Usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online services and user-friendliness.
• Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’. Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years).
• Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:

• Google Fonts (from the Google server): Access to fonts (and symbols) for the purpose of a technically secure, maintenance-free, and efficient use of fonts and symbols with regard to currency and loading times, their uniform display, and consideration of possible licensing restrictions. The font provider is informed of the user's IP address so that the fonts can be made available in the user's browser. In addition, technical data (language settings, screen resolution, operating system, used hardware) are transmitted, which are necessary for the provision of the fonts depending on the devices used and the technical environment. This data may be processed on a server of the font provider in the USA - When visiting our online offering, users' browsers send their browser HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving the fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) from Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of the website visitors, as well as the referrer URL. (i.e. the website on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers, and they are not analyzed. The Google Fonts Web API logs details of the HTTP requests. (requested URL, user agent and referral URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so that Google can determine how often a specific font family is requested. With the Google Fonts Web API, the user agent must adjust the font that is generated for the respective browser type. The User-Agent is primarily logged for debugging and used to generate aggregated usage statistics, which measure the popularity of font families. These aggregated usage statistics are published on the "Analytics" page of Google Fonts. Finally, the referrer URL is logged so that the data can be used for production maintenance and an aggregated report on the top integrations based on the number of font requests can be generated. According to its own statement, Google does not use any of the information collected by Google Fonts to create user profiles or serve targeted ads. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://fonts.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis for Third Country Transfers: Data Privacy Framework (DPF). More information: https://developers.google.com/fonts/faq/privacy?hl=de.