Privacy policy

1. Introduction

With this privacy policy, Planerio GmbH (hereinafter also referred to as ‘Planerio’ or ‘we’) informs you about the type, scope and purpose of the processing of personal data (hereinafter also referred to as ‘data’) within our digital duty scheduling platform and the associated websites (e.g. www.planerio.de, www.planer.io) as well as associated local and mobile applications, applications, functions and content as well as external online presences, such as our social media profiles (hereinafter collectively referred to as ‘online offer’). With regard to the terms used (e.g. ‘processing’, ‘controller’, etc.), we refer to the definitions according to Art. 4 of the European General Data Protection Regulation (hereinafter referred to as ‘GDPR’).

Our online service enables you to carry out service and personnel planning, time recording and payroll accounting digitally. As a user of our online service, you and the company you work for (hereinafter also referred to as the ‘company’ or ‘customer’) can store and manage the data required for duty scheduling, time recording and payroll accounting. Each user has their own access with different rights and options for entering and retrieving data. The use of our online services requires the processing of personal data by Planerio.

Planerio uses personal data in accordance with the provisions of the GDPR, the German Federal Data Protection Act (hereinafter referred to as ‘BDSG’) and the German Telecommunications Digital Services Data Protection Act (hereinafter referred to as ‘TDDDG’). Planerio takes care to comply with the currently applicable security standards. The hosting servers used by Planerio are located in Germany and the providers are certified in accordance with DIN ISO/IEC 27001.

2. Responsible person and data protection officer

Company:

Planerio GmbH
Theresienhöhe 11a
80339 Munich
E-mail: [email protected]

Managing directors: Torsten Blaschke, Dr. Stefan Klußmann, Silke Oltrogge, Prof. Dr. Cai-Nicolas Ziegler

Data Protection Officer:

Data Protection Officer of Planerio GmbH
c/o TÜV SÜD Akademie GmbH
Westendstraße 160
80339 Munich

E-mail: [email protected]
www.tuvsud.com

3. Basics of data processing

3.1. Categories of data subjects

Visitors and users of the online offer as well as customers, interested parties and business partners as well as employees and applicants (hereinafter also referred to individually and collectively as ‘users’).

3.2. Types of data processed

We process the following data from our users to provide our online services:

Inventory data (e.g. names, addresses).
Contact data (e.g. e-mail, telephone numbers).
Content data (e.g. text entries, uploaded documents).
Usage data (e.g. websites visited, interest in content, access times).
Meta/communication data (e.g. device information, IP addresses).

We also process data from our users for the purpose of providing contractual services, service and customer care, marketing, advertising and market research, and applicant management:

Contract data (e.g. subject matter of the contract, term, customer category),
General personal data (e.g. surname and first name) and (business) contact data (e.g. address, e-mail address, telephone number) of the contact persons
Payment data (e.g. bank details, payment history)
Duty roster data (e.g. working hours, holiday, training and other absence times, qualifications, assignment preferences and duty requests)
Working time documentation and payroll data (e.g. time stamps, absences incl. reason, wages/salary, overtime regulations).
Applicant data (e.g. personal details, postal and contact addresses, the documents relating to the application and the information contained therein, such as cover letter, CV, certificates and other personal or qualification information provided by applicants with regard to a specific position or voluntarily)
Location data (information on the geographical position of a device or person).

3.3. Purpose of the processing

Providing Planerio’s services to customers, including all processes that are necessary for this, including making the online offering, its functions and content available.
Answering contact enquiries and communicating with users.
Security measures.
Reach and conversion measurement/marketing.
Assertion, exercise or defence of civil law claims.
Carrying out application procedures.

3.4. Provision of data to affiliated companies

In order to provide Planerio’s services to customers, including all processes required for this, general personal data (e.g. surname and first name) and (business) contact data (e.g. address, e-mail address, telephone number) of the contact persons are provided to companies affiliated with Planerio in accordance with §§ 15 ff. AktG (e.g. doctari GmbH, doctari city GmbH, Lichtfeld GmbH; hereinafter also referred to as ‘doctari group’).

The legal basis for the provision of the data to companies of the doctari group is the legitimate interest of Planerio (Art. 6 para. 1 sentence 1 lit. f GDPR) in the provision of the data in order to establish and maintain the most efficient group structure possible and to offer the services of Planerio and the doctari group throughout the group; Planerio bases this legitimate interest in the context of the sale of the company, in particular on the fact that only the ownership structure has changed and the company will continue to operate essentially identically. Planerio has a legitimate interest in processing the data in order to offer customers the best possible and most comprehensive service throughout the group and to fulfil the wishes and needs of customers in the best possible way – even beyond the services offered by Planerio.

If the processing is based on Art. 6 para. 1 sentence 1 lit. f GDPR, the data subject has the right to object in accordance with Art. 21 GDPR. Planerio will then no longer process the personal data unless Planerio can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims by Planerio.

3.5. Terminology used

‘Personal data’ means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers practically any handling of data.

‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

‘Location data’ is generated when a mobile device (or another device with the technical requirements for location determination) connects to a radio cell, a WLAN or similar technical means and functions of location determination. Location data is used to indicate the geographically determinable position on earth at which the respective device is located. Location data can be used, for example, to display map functions or other location-dependent information.

3.6. Relevant legal bases

In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not stated in the privacy policy, the following applies: The legal basis for obtaining consent is Art. 6 para. 1 lit. a and Art. 7 GDPR; the legal basis for processing for the fulfilment of our services and the implementation of (pre-)contractual measures as well as answering enquiries is Art. 6 para. 1 lit. b GDPR; thae legal basis for processing to fulfil our legal obligations is Art. 6 para. 1 lit. c GDPR; the legal basis for processing to safeguard our legitimate interests is Art. 6 para. 1 lit. f GDPR; the legal basis required for processing for the assertion, exercise or defence of civil law claims is Section 24 para. 1 no. 2 BDSG; and the legal basis for processing in the context of application procedures is Section 26 BDSG or Art. 6 para. 1 lit. b GDPR, Art. 6 para. 1 lit. f GDPR.

3.7. Safety measures

We take appropriate technical and organisational measures in accordance with Art. 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, disclosure, safeguarding of availability and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data and the response to data threats. Furthermore, we take the protection of personal data into account as early as the development and selection of hardware, software and processes, in accordance with the principle of data protection through technology design and data protection-friendly default settings (Art. 25 GDPR).

Insofar as IP addresses are processed by us or by our service providers and the processing of a full IP address is not required, the IP address is truncated (hereinafter referred to as ‘IP masking’). This involves removing the last part of the IP address or replacing it with placeholders. The shortening of the IP address is intended to prevent or significantly complicate identification by means of the IP address.

In order to protect data transmitted via our online offering, we use SSL encryption, recognisable by the prefix ‘https://’ in the address bar of your browser

3.8. Rights of the data subjects

You have the right to request confirmation as to whether the data in question is being processed and to request information about this data as well as further information and a copy of the data in accordance with Art. 15 GDPR.

In accordance with Art. 16 GDPR, you have the right to request the completion of data concerning you or the correction of incorrect data concerning you.

In accordance with Art. 17 GDPR, you have the right to demand that the data in question be deleted immediately or, alternatively, to demand that the processing of the data be restricted in accordance with Art. 18 GDPR.

You have the right to request to receive the data concerning you that has been provided to us in accordance with Art. 20 GDPR and to request its transfer to other controllers.

You also have the right to lodge a complaint with the competent supervisory authority in accordance with Art. 77 GDPR.

3.9. Right of cancellation

You have the right to withdraw your consent in accordance with Art. 7 (3) GDPR with effect for the future.

3.10. Right of objection

You can object to the (future) processing of data based on Article 6(1)(e) or (f) at any time in accordance with Art. 21 GDPR. The objection may be made in particular against processing for direct marketing purposes. In the event of an objection, Planerio will no longer process the personal data unless Planerio can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims by Planerio.

3.11. Deletion of data

The data processed by us will be deleted or its processing restricted in accordance with Art. 17 and 18 GDPR. Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of labour, commercial or tax law or in cases where the processing of the data is necessary for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.

According to legal requirements in Germany, the data is stored for 10 years in accordance with §§ 147 para. 1 AO, 257 para. 1 no. 1 and 4, para. 4 HGB (books, records, management reports, accounting vouchers, commercial books, documents relevant for taxation, etc.) and 6 years in accordance with § 257 para. 1 no. 2 and 3, para. 4 HGB (commercial letters).

3.12. Contractual services

We process the data of our contractual partners and interested parties as well as other clients, customers, clients, clients or contractual partners (hereinafter referred to individually and collectively as ‘contractual partners’) in accordance with Art. 6 para. 1 lit. b GDPR in order to provide them with our contractual or pre-contractual services. The data processed in this context, the type, scope and purpose and the necessity of their processing are determined by the underlying contractual relationship.

The processed data includes the master data of our contractual partners (e.g. names and addresses), contact data (e.g. email addresses and telephone numbers) as well as contract data (e.g. services used, contract content, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history).

We do not process special categories of personal data unless they are part of commissioned or contractual processing.

We process data that is required to justify and fulfil the contractual services and point out the necessity of its disclosure, unless this is evident to the contractual partners. Disclosure to external persons or companies only takes place if it is necessary within the framework of a contract. When processing the data provided to us as part of an order, we act in accordance with the instructions of the client and the legal requirements.

When using our online services, we may store the IP address and the time of the respective user action. This data is stored on the basis of our legitimate interests and the interests of users in protection against misuse and other unauthorised use. This data is not passed on to third parties unless it is necessary to pursue our claims in accordance with Art. 6 para. 1 lit. f GDPR or there is a legal obligation to do so in accordance with Art. 6 para. 1 lit. c GDPR.

The data will be deleted when the data is no longer required to fulfil contractual or statutory duties of care and to deal with any warranty and comparable obligations, whereby the necessity of retaining the data is reviewed every three years; otherwise the statutory retention obligations apply.

4. Cooperation with processors and third parties and transfer to third countries

4.1. Cooperation with processors and third parties

If we disclose data to other persons and companies (processors or third parties) as part of our processing, transfer it to them or otherwise grant them access to the data, this will only be done on the basis of legal permission (e.g. if the transfer of data to third parties, such as payment service providers, is required to fulfil a contract in accordance with Art. 6 para. 1 lit. b GDPR), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

If we commission third parties with the processing of data on the basis of a so-called ‘order processing contract’, this is done in accordance with Art. 28 GDPR.

4.2. Transfers to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure or transfer of data to third parties, this will only take place if it is done to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual authorisations, we only process or have the data processed in a third country if the special requirements of Art. 44 et seq. GDPR are met. This means that the processing is carried out on the basis of an adequacy decision in accordance with Art. 45 GDPR and in compliance with and implementation of suitable guarantees in accordance with Art. 46 GDPR, e.g. by concluding so-called ‘standard contractual clauses’.

5. Registration, order processing and use of our online services

5.1. Registration

If you wish to make use of the services offered via our website, registration is required. The processed data includes in particular the login information (name, password and an e-mail address).

If you set up an account for another person and/or thereby transmit this person’s data to us for processing, we must assume that the person in question has been informed of this and agrees to it.

This data is collected to confirm the registration, to set up an account and to make contact. Data processing is based on Art. 6 para. 1 sentence 1 lit. b GDPR, insofar as you are our direct contractual partner, or on Art. 6 para. 1 sentence 1 lit. f GDPR if you carry out the registration as an employee or authorised representative of such a direct contractual partner (legitimate interest of Planerio).

Users may be informed by email about information relevant to their user account, such as technical changes. If users have cancelled their user account, their data relating to the user account will be deleted, subject to a statutory retention obligation. It is the responsibility of users to back up their data before the end of the contract in the event of cancellation. We are authorised to irretrievably delete all user data stored during the term of the contract.

As part of the use of our registration and login functions as well as the use of the user account, we store the IP address and the time of the respective user action. This data is stored on the basis of our legitimate interests and those of the user in protection against misuse and other unauthorised use. This data is not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so in accordance with Art. 6 para. 1 lit. c GDPR. The IP addresses are anonymised or deleted after 7 days at the latest.

5.2. Order processing

We process our customers’ data as part of the ordering process in order to enable them to select and order the selected products and services, as well as their payment and fulfilment.

The processed data includes inventory data, communication data, contract data, payment data and the persons affected by the processing include our customers, interested parties and other business partners. Processing is carried out for the purpose of providing contractual services as part of our online offering.

The processing is carried out on the basis of Art. 6 para. 1 lit. b (execution of order processes) and c (legally required archiving) GDPR. The information marked as necessary is required to justify and fulfil the contract. We only disclose the data to third parties in the context of delivery, payment or within the scope of legal authorisations and obligations towards legal advisors and authorities. The data will only be processed in third countries if this is necessary for the fulfilment of the contract (e.g. at the customer’s request for delivery or payment).

5.3. Use of our online offer

5.3.1. Web application

If you use our online service after registering – whether free of charge or for a fee – you can enter data on the platform, share it with your company or other users, customise it and communicate with other users.

If you transmit data of another person to us for processing when using our online service, we must assume that the person in question has been informed of this and agrees to it.

This data is collected and processed in order to provide and invoice the services offered as part of our online offering, such as duty scheduling, time recording and payroll accounting, i.e. to fulfil Planerio’s contractual obligations. Data processing is based on Art. 6 para. 1 sentence 1 lit. b GDPR, insofar as you are our direct contractual partner, or on Art. 6 para. 1 sentence 1 lit. f GDPR, if you carry out the registration as an employee or authorised representative of such a direct contractual partner (legitimate interest of Planerio).

5.3.2. Mobile App

Our application can also be obtained via special online platforms operated by other service providers (so-called ‘app stores’). In this context, the data protection notices of the respective app stores apply in addition to our data protection notices. This applies in particular with regard to the procedures used on the platforms to measure reach and for interest-based marketing as well as any obligation to pay costs.

Processed are inventory and roster data (e.g. names, addresses, shifts, absences); contact data (e.g. email, telephone numbers); contract data (e.g. subject matter of the contract, term, customer category); usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses). Data subjects are customers and users. The purpose of the processing is the provision of contractual services and customer service. Processing is based on the legal grounds of contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b GDPR) and legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Apple App Store

App and software sales platform; Service provider: Apple Inc, Infinite Loop, Cupertino, CA 95014, USA; Website: https://www.apple.com/de/ios/app-store/; Privacy Policy: https://www.apple.com/legal/privacy/de-ww/.

Google Play

App and software sales platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain

View, CA 94043, USA; Website: https://play.google.com/store/apps?hl=de; Privacy Policy: https://policies.google.com/privacy.

5.3.3. Special notes on applications (apps)

We process the data of users of our application to the extent necessary to provide users with the application and its functionalities, to monitor its security and to develop it further. We may also contact users in compliance with legal requirements if communication is necessary for the purposes of administering or using the application. Otherwise, we refer to the data protection information in this privacy policy with regard to the processing of user data.

The processing of data required to provide the functionalities of the application serves to fulfil contractual obligations. This also applies if the provision of the functions requires user authorisation (e.g. release of device functions). If the processing of data is not necessary for the provision of the functionalities of the application, but serves the security of the application or our business interests (e.g. collection of data for the purpose of optimising the application or security purposes), it is carried out on the basis of our legitimate interests. If users are expressly asked to consent to the processing of their data, the data covered by the consent is processed on the basis of the consent.

We process inventory data (e.g. names, addresses), meta/communication data (e.g. device information, IP addresses), payment data (e.g. bank details, invoices, payment history), contract data (e.g. subject matter of the contract, term, customer category), location data (information on the geographical position of a device or person).

Users are affected by the processing (e.g. website visitors, users of online services). The processing is carried out for the purpose of providing contractual services and customer service and is based on consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

5.3.4. Further information on processing operations, procedures and services

Commercial use

We process the data of the users of our application, registered users and any test users (hereinafter referred to individually and collectively as ‘users’) in order to be able to provide them with our contractual services and on the basis of legitimate interests in order to ensure the security of our application and to be able to develop it further. The required information is labelled as such in the context of the conclusion of the usage, order, purchase order or comparable contract and may include the information required for the provision of services and for any billing as well as contact information in order to be able to hold any consultations.

Device authorisations for access to functions and data

The use of our application or its functionalities may require user authorisations for access to certain functions of the devices used or to the data stored on the devices or accessible with the help of the devices. By default, these authorisations must be granted by the users and can be revoked at any time in the settings of the respective devices. The exact procedure for controlling app authorisations may depend on the device and the user’s software. Users can contact us if they require clarification. We would like to point out that the denial or revocation of the respective authorisations may affect the functionality of our application.

Processing of saved contacts

When using our application, the contact information of persons stored in the contact directory of the device (name, e-mail address, telephone number) is processed. The use of contact information requires user authorisation, which can be revoked at any time. The use of contact information only serves to provide the respective functionality of our application, as described to users, or its typical and expected functionality. Users are advised that permission to process contact information must be permitted and, in the case of natural persons in particular, requires their consent or legal authorisation.

Processing of location data

When using our application, the location data collected by the device used or otherwise entered by the user is processed. The use of location data requires user authorisation, which can be revoked at any time. The use of location data only serves to provide the respective functionality of our application, as described to users, or its typical and expected functionality.

5.4. Function-dependent interfaces

Depending on the functions selected by the contractual partner, data is exchanged with one or more of the following companies in order to provide and continuously improve our services; the legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. b GDPR. If the third-party providers named in section 5.4. work for us as commissioned data processors, the commissioned data processing is carried out in accordance with Art. 28 GDPR. We have selected these third-party providers carefully and in accordance with the provisions of the GDPR.

Doctolib

Online appointment scheduling and appointment management; Service provider: Doctolib GmbH, Wilhelmstraße 118, Aufgang C, 10963 Berlin, Germany, parent company: Doctolib SAS, 32 rue de Monceau 75008 Paris, France; Website: https://www.doctolib.de; Privacy Policy: https://www.doctolib.de/terms/agreement.

Personio

Personnel management and recruiting platform and services; Service provider: Personio GmbH, Rundfunkplatz 4, 80335 Munich, Germany; Website: https://personio.de/; Privacy Policy: https://www.personio.de/datenschutzerklaerung/.

SAP

Integrated standard business software product with functions in the area of personnel administration and payroll accounting; service provider: SAP Deutschland SE & Co. KG, Hasso-Plattner-Ring 7, 69190 Walldorf, Germany; Website: https://www.sap.com/; Privacy Policy: https://www.sap.com/germany/about/legal/privacy.html.

5.5. Video conferences, online meetings, webinars and screen sharing

We use platforms and applications of other providers (hereinafter referred to as ‘conference platforms’) for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as ‘conference’). When selecting the conference platforms and their services, we observe the legal requirements.

As part of participation in a conference, the conference platforms process the participants’ personal data listed below. The scope of the processing depends on which data is required in the context of a specific conference (e.g. specification of access data or clear names) and which optional information is provided by the participants. In addition to processing for the purpose of holding the conference, the conference platforms may also process participants’ data for security purposes or service optimisation. The processed data includes personal data (first name, surname), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, information on professional position/function, the IP address of the Internet access, information on the participants’ end devices, their operating system, the browser and its technical and language settings, information on the content of the communication processes, i.e. entries in chats and audio and video data, as well as the use of other available functions (e.g. surveys). The content of communications is encrypted to the extent technically provided by the conference providers. If the participants are registered as users with the conference platforms, further data may be processed in accordance with the agreement with the respective conference provider.

If text entries, participation results (e.g. from surveys) and video or audio recordings are logged, this will be transparently communicated to the participants in advance and they will be asked for their consent where necessary.

Please note the details of the processing of your data by the conference platforms in their data protection notices and select the security and data protection settings that are best for you in the conference platform settings. Please also ensure data and privacy protection in the background of your recording for the duration of a video conference (e.g. by informing roommates, locking doors and using the function to make the background unrecognisable, if technically possible). Links to the conference rooms and access data must not be passed on to unauthorised third parties.

If, in addition to the conference platforms, we also process users’ data and ask users for their consent to use the conference platforms or certain functions (e.g. consent to the recording of conferences), the legal basis for processing is this consent. Furthermore, our processing may be necessary to fulfil our contractual obligations (e.g. in participant lists, in the case of processing the results of discussions, etc.). Otherwise, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

Inventory data (e.g. names, addresses); contact data (e.g. email, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses) are processed. Communication partners, users (e.g. website visitors, users of online services) are affected. The processing is carried out for the purpose of providing contractual services and customer service, contact enquiries and communication, office and organisational procedures and is based on the legal bases of consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Microsoft Teams

Messenger and conferencing software; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, parent company:

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://products.office.com; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security information: https://www.microsoft.com/de-de/trustcenter; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.

Furthermore, the parent company Microsoft Corporation is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may also be transferred without further guarantees or additional measures.

5.6. Chatbots and chat functions

We offer online chats and chatbot functions (collectively referred to as ‘chat services’) as a means of communication. A chat is an online conversation conducted with a certain degree of timeliness. A chatbot is software that answers users’ questions or informs them of messages. If you use our chat functions, we may process your personal data.

If you use our chat services within an online platform, your identification number will also be stored within the respective platform. We may also collect information about which users interact with our chat services and when. Furthermore, we store the content of your conversations via the chat services and log registration and consent processes in order to be able to prove these in accordance with legal requirements.

We would like to point out to users that the respective platform provider may find out that and when users communicate with our chat services and may collect technical information about the user’s device used and, depending on their device settings, also location information (so-called metadata) for the purposes of optimising the respective services and for security purposes. The metadata of communication via chat services (i.e., for example, information on who has communicated with whom) may also be used by the respective platform providers for marketing purposes or to display advertising tailored to users in accordance with their provisions, to which we refer for further information.

If users declare their willingness to a chatbot to activate information with regular messages, they have the option of cancelling the information for the future at any time. The chatbot informs users how and with which terms they can unsubscribe from the messages. When users unsubscribe from the chatbot messages, their data is deleted from the list of message recipients.

We use the aforementioned information to operate our chat services, e.g. to address users personally, to answer their enquiries, to transmit any requested content and also to improve our chat services (e.g. to ‘teach’ chatbots answers to frequently asked questions or to recognise unanswered enquiries).

We use the chat services on the basis of consent if we have previously obtained permission from users to process their data as part of our chat services (this applies to cases in which users are asked for consent, e.g. so that a chatbot can send them regular messages). If we use chat services to answer users’ enquiries about our services or our company, this is done for contractual and pre-contractual communication. We also use chat services on the basis of our legitimate interests in optimising the chat services, their cost-effectiveness and enhancing the positive user experience.

You can revoke your consent at any time or object to the processing of your data in the context of our chat services.

Contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses) are processed. Our communication partners are affected. The purpose of the processing is to respond to contact enquiries and communication, direct marketing (e.g. by email or post)The processing is based on the legal bases of consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Pipedrive

We use the CRM system Pipedrive (https://www.pipedrive.com/de) of the provider Pipedrive OÜ on the basis of our legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR (efficient and fast processing of user enquiries, existing customer management, new customer business), a private limited company established under the laws 13ft he Republic of Estonia, with the address Paldiski mnt 80, Tallinn, 10617, Estonia, registered in the Estonian Commercial Register under the code 11958539, and a subsidiary of Pipedrive US. Pipedrive’s privacy policy can be found here: https://www.pipedrive.com/en/privacy.

Furthermore, the parent company Pipedrive Inc. is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

5.7. Push notifications

With the user’s consent, we can send users so-called ‘push notifications’. These are messages that are displayed on users’ screens, devices or browsers, even if our online service is not currently being actively used.

In order to register for the push messages, users must confirm the request from their browser or end device to receive the push messages. This consent process is documented and saved. The storage is necessary to recognise whether users have agreed to receive the push messages and to be able to prove their consent. For these purposes, a pseudonymous identifier of the browser (so-called ‘push token’) or the device ID of an end device is stored.

The push messages may be necessary for the fulfilment of contractual obligations (e.g. technical and organisational information relevant to the use of our online offering) and are otherwise sent on the basis of the user’s consent, unless specifically mentioned below. Users can change the receipt of push messages at any time using the notification settings of their respective browsers or end devices.

Usage data is processed (e.g. websites visited, interest in content, access times). The processing is carried out for the provision of contractual services and customer service, reach measurement (e.g. access statistics, recognition of returning visitors) and is based on consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b GDPR).

We analyse push messages statistically and can thus recognise whether and when push messages were displayed and clicked on. This information is used for the technical improvement of our push messages based on the technical data or the target groups and their retrieval behaviour or retrieval times. This analysis also includes determining whether the push messages are opened, when they are opened and whether users interact with their content or buttons. For technical reasons, this information can be assigned to the individual push message recipients. However, it is neither our endeavour nor, if used, that of the push message service provider to observe individual users. Rather, we use the analyses to recognise the usage habits of our users and to adapt our push messages to them or to send different push messages according to the interests of our users. The push messages are analysed and their success measured on the basis of the user’s express consent, which is given when they agree to receive the push messages. Users can object to the analysis and performance measurement by unsubscribing from the push messages. A separate cancellation of the analysis and performance measurement is unfortunately not possible.

OneSignal

Sending and managing push notifications; Service provider: OneSignal, Inc, 2850 S Delaware St Suite 201, San Mateo, CA 94403, USA; Website: https://onesignal.com; Privacy Policy: https://onesignal.com/privacy_policy; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): are concluded with the provider.

This US company is also certified under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

5.8. Guided tours/guides, user profiles, user feedback and communication

We use Pendo to provide guided tours/guides, to create user profiles to customise the software, to collect user feedback and to communicate with users. Data processing is based on our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, with the right to object in the area of third-party providers. The service provider is Pendo Inc, 418 South Dawson St., Raleigh, NC 27601, USA. Purposes/legitimate interests: Conducting guided tours/guides through the software during the implementation phase of the software and in customer service, aggregated analysis of user behaviour within the software, collection of customer feedback, e.g. as part of NPS (Net Promoter Scores) for the further development of the product, in-app communication to users on e.g. new releases; data (categories): Inventory data (e.g. customer ID, user ID, role of the user, language), content data (e.g. text input), contract data (e.g. subject matter of the contract), usage and metadata (e.g. as part of the evaluation of usage rates or performance measurement), progress status in the tour/guide (also as part of cookies); Data subjects: All users; Suitable or appropriate guarantees: EU standard contractual clauses; Further information: https://www.pendo.io/privacypolicy/.

5.9. Processing of location data

When using our application, the location data collected by the device used or otherwise entered by the user is processed. The use of location data requires the user’s consent, which can be revoked at any time. The use of location data only serves to provide the respective functionality of our application, in accordance with its description to users, or its typical and expected functionality.

5.10. Service and consulting services

We process our customers’ data as part of our contractual services, which include software implementation, conceptual and strategic consulting, software and design development/consulting or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consulting services and training services.

We process inventory data (e.g. customer master data, such as names or addresses), contact data (e.g. email, telephone numbers), content data (e.g. text entries), contract data (e.g. subject matter of the contract, term), payment data (e.g. bank details, payment history), usage and metadata (e.g. as part of analysing usage rates or measuring success). In principle, we do not process special categories of personal data unless these are part of commissioned processing. The data subjects include our customers, interested parties and their customers, users, website visitors or employees as well as third parties. The purpose of the processing is the provision of contractual services, billing and our customer service. The legal basis for the processing results from Art. 6 para. 1 lit. b GDPR (contractual services), Art. 6 para. 1 lit. f GDPR (analysis, statistics, optimisation, security measures). We process data that is required for the justification and fulfilment of contractual services and point out the necessity of its disclosure. Disclosure to external parties only takes place if it is necessary in the context of an order. When processing the data provided to us as part of an order, we act in accordance with the instructions of the client and the legal requirements of order processing in accordance with Art. 28 GDPR and do not process the data for any purposes other than those specified in the order.

We delete the data after the expiry of statutory warranty and comparable obligations. The necessity of storing the data is reviewed every three years; in the case of statutory archiving obligations, the deletion takes place after their expiry (6 years, according to § 257 para. 1 HGB, 10 years, according to § 147 para. 1 AO). In the case of data disclosed to us by the client as part of an order, we delete the data in accordance with the specifications of the order, generally after the end of the order.

5.11. Administration, financial accounting, organisation, contact management

5.11.1. General

We process data in the context of administrative tasks and the organisation of our operations, financial accounting, compliance with legal obligations, such as archiving, for the purposes of organisation, administration, planning and the provision of our services. In doing so, we use services, platforms and software from other providers (hereinafter referred to as ‘third-party providers’). When selecting third-party providers and their services, we observe the legal requirements.

In general, we process the same data that we process as part of the provision of our (pre-)contractual services. If we ask users for their consent to the use of third-party providers, the legal basis for the processing of data is consent. Furthermore, their use may be part of our (pre-)contractual services, provided that the use of third-party providers has been agreed in this context. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Customers, interested parties, business partners and website visitors are affected by the processing. The purpose and our interest in the processing lies in the administration, financial accounting, office organisation, archiving of data, i.e. tasks that serve to maintain our business activities, perform our tasks and provide our services.

The deletion of data with regard to contractual services and contractual communication corresponds to the information specified in these processing activities.

In this context, personal data may be processed and stored on the servers of third-party providers. This may affect various data that we process in accordance with this privacy policy. This data may include, in particular, master data and contact data of users, data on transactions, contracts, other processes and their content.

If users are referred to third-party providers or their software or platforms in the context of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimisation or marketing purposes. We therefore ask you to observe the data protection notices of the respective third-party providers.

We disclose or transmit data to the tax authorities, consultants such as tax advisors or auditors as well as other fee centres and payment service providers.

We also store information on suppliers, event organisers and other business partners on the basis of our business interests, e.g. for the purpose of contacting them at a later date. We generally store this mainly company-related data permanently.

5.11.2. Further information on processing operations, procedures and services

Billomat

We use the cloud-based accounting software of Billomat GmbH & Co. KG, Lorenzer Str. 31, 90402 Nuremberg (‘Billomat’). Billomat processes incoming and outgoing invoices and, where applicable, our company’s bank transactions in order to automatically record invoices, match them to the transactions and create the financial accounts from this in a semi-automated process. If personal data is also processed in this process, the processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in the efficient organisation and documentation of our business transactions. You can find more information about Billomat, the automated processing of data and the data protection provisions at https://www.billomat.com/datenschutz/.

Calendly

Online scheduling and appointment management; Service provider: Calendly LLC, 271 17th St NW, Ste 1000, Atlanta, Georgia, 30363, USA; Website: https://calendly.com/de; Privacy Policy: https://calendly.com/pages/privacy; Data processing agreement: https://calendly.com/dpa; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://calendly.com/dpa.

Confluence

Software for the creation and administration of wiki & knowledge platforms; Service provider: Atlassian Inc. (San Francisco, Harrison Street Location), 1098 Harrison Street, San Francisco, California 94103, USA; Website: https://www.atlassian.com/software/confluence; Privacy Policy: https://www.atlassian.com/legal/privacy-policy; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): Part of the order processing contract; Further information: Data transfer impact assessment: https://www.atlassian.com/legal/data-transfer-impact-assessment.

The US company Atlassian Inc. is also certified under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

Jira

Web application for error management, troubleshooting and operational project management; Service provider: Atlassian Inc. (San Francisco, Harrison Street Location), 1098 Harrison Street, San Francisco, California 94103, USA; Website: https://www.atlassian.com/software/jira; Privacy Policy: https://www.atlassian.com/legal/privacy-policy; Data processing agreement: https://www.atlassian.com/legal/data-processing-addendum; Standard Contractual Clauses (Safeguarding the level of data protection when processing in third countries): Inclusion in the order processing contract; Further information: Data transfer impact assessment: https://www.atlassian.com/legal/data-transfer-impact-assessment.

Kombo

We use the integration service provider kombo.dev, a service of Kombo Technologies GmbH, Kottbusser Damm 25-26, 10967 Berlin (hereinafter ‘Kombo’). We use Kombo to integrate various databases and web applications. Kombo is a web service that automatically links actions between different databases and web applications and synchronises their applications with each other. Kombo automates our processing procedures and ensures different workflows for efficient data processing. The data processing described is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interests in the efficient organisation of our work processes. Further information on data use by Kombo can be found in the Kombo data protection declaration at https://www.kombo.dev/privacy-policy.

monday.com

Project management – organisation and management of teams, groups, workflows, projects and processes; Service provider: monday.com ltd, 6 Yitzhak Sadeh Street, Tel Aviv 6777506, Israel; Website: https://monday.com/lang/de/; Privacy Policy: https://monday.com/l/de/privatsphaere/datenschutzerklarung/; Data processing agreement: https://monday.com/l/de/privatsphaere/dpa/; Standard Contractual Clauses (Safeguarding the level of data protection when processing in third countries): https://monday.com/l/de/privatsphaere/standardvertragsbedingungen-fuer-kunden-scc-datenverantwortlicher-zu-datenverarbeiter/ (data controller to data processor), https://monday.com/l/de/privatsphaere/standardvertragsbedingungen-fuer-kunden-scc-datenverarbeiter-zu-datenverarbeiter/ (data processor to data processor).

n8n

We use the integration service provider n8n.io, a service of n8n GmbH, Borsigstr. 27, 10115 Berlin (hereinafter ‘n8n’).We use n8n to integrate different databases and web tools. n8n is a web service that automatically links actions between different tools and synchronises their applications with each other. n8n automates our processing operations and ensures different workflows for efficient data processing. The data processing described is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interests in the efficient organisation of our work processes. Further information on data use by n8n can be found in the n8n data protection declaration at https://n8n.io/legal/#privacy.

PandaDoc

Digital signatures and signing processes for documents; Service provider: PandaDoc, Inc., 3739 Balboa St. #1083, San Francisco, CA 94121, USA; Website: https://www.pandadoc.com/de/; Privacy Policy: https://www.pandadoc.com/de/privacy-notice/; Further information: https://www.pandadoc.com/gdpr/.

This US company is also certified under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may also be transferred without further guarantees or additional measures.

Pipedrive

We use the CRM system Pipedrive of the provider Pipedrive OÜ on the basis of our legitimate interests (efficient and fast processing of user enquiries, existing customer management, new customer business), a private limited company established under the laws of the Republic of Estonia, with the address Paldiski mnt 80, Tallinn, 10617, Estonia, registered in the Estonian Commercial Register under the code 11958539, and a subsidiary of Pipedrive US. Pipedrive’s privacy policy can be found here: https://www.pipedrive.com/en/privacy. Data processing agreement: https://www.pipedrive.com/en/privacy#data-controller-and-data-processor

Furthermore, the parent company Pipedrive Inc. is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may also be transferred without further guarantees or additional measures.

Salesforce

We use the CRM system Salesforce from the provider salesforce.com Germany GmbH (https://www.salesforce.com/de/), Erika-Mann-Str. 31, 80636 Munich, Germany on the basis of our legitimate interests (efficient and fast processing of user enquiries, existing customer management, new customer business), a subsidiary of Salesforce, Inc. You can access Salesforce’s privacy policy here: https://www.salesforce.com/de/company/privacy/.

Furthermore, the parent company Salesforce, Inc. is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may also be transferred without further guarantees or additional measures.

5.12. Plugins and embedded functions and content

5.12.1. General information on plugins and embedded functions and content

We incorporate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as ‘third-party providers’). These may be, for example, graphics, videos or city maps (hereinafter collectively referred to as ‘content’).

The integration always requires that the third-party providers of this content process the IP address of the user, as they would not be able to send the content to their browser without the IP address. The IP address is therefore required to display this content or function. We endeavour to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as ‘web beacons’) for statistical or marketing purposes. Pixel tags can be used to analyse information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as being linked to such information from other sources.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for the processing of data is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. entries in online forms) are processed. The data subjects affected by data processing are users (e.g. website visitors, users of online services). The processing takes place for the purpose of providing our online offer and user-friendliness, providing contractual services and customer service, profiles with user-related information (creation of user profiles) and is based on consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

5.12.2. Further information on processing operations, procedures and services

Integration of third-party software, scripts or frameworks (e.g. jQuery)

We integrate software into our online offering that we retrieve from servers of other providers (e.g. function libraries that we use for the purpose of displaying or user-friendliness of our online offering). The respective providers collect the IP address of the users and can process it for the purpose of transmitting the software to the user’s browser and for security purposes, as well as for the evaluation and optimisation of their offer.

Google Fonts

Obtaining fonts (‘Google Fonts’) from the provider Google for the purpose of a technically secure, maintenance-free and efficient use of fonts with regard to up-to-dateness and loading times, their uniform presentation and consideration of possible licence restrictions. Google is informed of the user’s IP address so that Google can provide the fonts in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) required for the provision of the fonts depending on the devices used and the technical environment are transmitted; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://fonts.google.com/; Privacy Policy: https://policies.google.com/privacy.

The parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

Google Maps

We integrate the maps of the ‘Google Maps’ service provided by Google. The processed data may include, in particular, IP addresses and location data of users, which, however, are not collected without their consent (usually in the context of the settings of their mobile devices); service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://cloud.google.com/maps-platform; Privacy Policy: https://policies.google.com/privacy; Opt-Out: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for the display of adverts: https://adssettings.google.com/authenticated.

Vimeo

Video content; Service provider: Vimeo Inc, Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA; Website: https://vimeo.com; Privacy Policy: https://vimeo.com/privacy; Opt-Out: We would like to point out that Vimeo may use Google Analytics and refer to the privacy policy (https://policies.google.com/privacy) as well as the opt-out options for Google Analytics (https://tools.google.com/dlpage/gaoptout?hl=de) or Google’s settings for data use for marketing purposes (https://adssettings.google.com/).

YouTube-Videos

Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Opt-Out: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for the display of adverts: https://adssettings.google.com/authenticated.

5.13. Business analyses and market research

In order to operate our business economically, identify market trends and the wishes of contractual partners and users, we analyse the data available to us on business transactions, contracts, enquiries, etc. We process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 para. 1 lit. f GDPR, whereby the data subjects include contractual partners, interested parties, customers, visitors and users of our online offer.

The analyses are carried out for the purpose of business evaluations, marketing and market research. In doing so, we can take into account the profiles of registered users with information, e.g. on the services they have used. We use the analyses to increase user-friendliness, optimise our offering and improve business efficiency. The analyses are used solely by us and are not disclosed externally, unless they are anonymous analyses with summarised values.

5.14. Surveys and interviews

The surveys and questionnaires we conduct (hereinafter ‘surveys’) are analysed anonymously. Personal data is only processed insofar as this is necessary for the provision and technical implementation of the surveys (e.g. processing of the IP address to display the survey in the user’s browser or to enable the survey to be resumed using a temporary cookie (session cookie)) or if users have given their consent.

If we ask the participants for their consent to the processing of their data, this (Art. 6 para. 1 sentence 1 lit. a GDPR) is the legal basis for the processing, otherwise the processing of the participants’ data is based on our legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) in conducting an objective survey.

Contact data (e.g. email, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses) are processed.

All our communication partners who take part in the survey or questionnaire are affected. The purpose of the processing is contact enquiries and communication, direct marketing (e.g. by email or post).

6. Applicants and application procedure

6.1. Data protection information in the application process

We process the applicant data only for the purpose and in the context of the application process in accordance with the legal requirements. Applicant data is processed to fulfill our (pre-)contractual obligations in the context of the application process within the meaning of Art. 6 para. 1 lit. b GDPR Art. 6 para. 1 lit. f GDPR if data processing becomes necessary for us, e.g. in the context of legal proceedings (in Germany, § 26 BDSG also applies). The application process requires applicants to provide us with applicant data. If we offer an online form, the necessary applicant data is marked, otherwise it is derived from the job descriptions and generally includes personal details, postal and contact addresses and the documents belonging to the application, such as cover letter, CV and certificates. Applicants can also voluntarily provide us with additional information. By submitting their application to us, applicants consent to the processing of their data for the purposes of the application process in accordance with the type and scope set out in this privacy policy. Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are voluntarily communicated as part of the application process, their processing is also carried out in accordance with Art. 9 para. 2 lit. b GDPR (e.g. health data, such as severely disabled status or ethnic origin). Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are requested from applicants as part of the application process, their processing is also carried out in accordance with Art. 9 para. 2 lit. a GDPR (e.g. health data if this is necessary for the exercise of the profession). If provided, applicants can send us their applications using an online form on our website. The data is transmitted to us in encrypted form in accordance with the state of the art.

Applicants can also send us their applications by e-mail. Please note, however, that e-mails are generally not sent in encrypted form and applicants must ensure that they are encrypted themselves. We therefore cannot accept any responsibility for the transmission path of the application between the sender and receipt on our server and therefore recommend using an online form or sending it by post. Instead of applying via the online form and e-mail, applicants still have the option of sending us their application by post. In the event of a successful application, we may process the data provided by applicants for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicant’s data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to a justified withdrawal by the applicant, the deletion will take place after a period of six months so that we can answer any follow-up questions regarding the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses are archived in accordance with tax law requirements.

6.2. Talent pool

As part of the application process, we offer applicants the opportunity to be included in our “talent pool” for a period of two years on the basis of consent within the meaning of Art. 6 para. 1 lit. b and Art. 7 GDPR. The application documents in the talent pool will only be processed in the context of future job advertisements and the search for employees and will be destroyed at the latest after the above-mentioned period has expired. Applicants are informed that their consent to inclusion in the talent pool is voluntary, has no influence on the current application process and that they can revoke this consent at any time for the future and declare an objection within the meaning of Art. 21 GDPR.

6.3. Further information on processing operations, procedures and services

Stepstone

Recruiting platform and services; Service provider: StepStone Deutschland GmbH, Völklinger Straße 1, 40219 Düsseldorf, Germany; Website: https://www.stepstone.de; Privacy Policy: https://www.stepstone.de/Ueber-StepStone/Rechtliche-Hinweise/datenschutzerklaerung/.

Indeed

Recruiting platform and services; Service provider: Indeed Ireland Operations Limited, 124 St. Stephen’s Green, Dublin 2, Ireland; Website: https://indeed.com/; Privacy Policy: https://de.indeed.com/legal?hl=de#privacypolicy.

JOIN

Recruiting platform and services; Service provider: JOIN Solutions GmbH, Schönhauser Allee 36, 10435 Berlin, Germany; Website: https://join.com/de/; Privacy Policy: https://join.com/de/datenschutz/.

Personio

7. Hosting

7.1. General information on hosting

The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we use for the purpose of operating this online offering.

In doing so, we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with. Art. 28 GDPR (conclusion of order processing contract).

7.2. Collection of access data and log files

We, or our hosting provider, collect data about every access to the server on which this service is located (so-called server log files) on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f GDPR. The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Log file information is stored for security reasons (e.g. to investigate misuse or fraud) for a maximum of 7 days and then deleted. Data whose further storage is required for evidence purposes is excluded from deletion until the respective incident has been finally clarified.

7.3. Further information on processing operations, procedures and services

Amazon Web Services (AWS)

Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacity); Service provider: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA; Website: https://aws.amazon.com/de/; Privacy Policy: https://aws.amazon.com/de/privacy/?nc1=f_pr; Data Processing Agreement: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://aws.amazon.com/de/service-terms/.

Hetzner

Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacity); Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Website: https://www.hetzner.com; Privacy Policy: https://www.hetzner.com/de/rechtliches/datenschutz; Data processing agreement: https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/.

Microsoft cloud services

Cloud storage, cloud infrastructure services and cloud-based application software; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://microsoft.com/de-de; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security Information: https://www.microsoft.com/de-de/trustcenter; Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.

8. Blog, comments and posts

8.1. Comments and contributions

If users leave comments or other contributions, their IP addresses may be stored for 7 days on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f GDPR. This is done for our security in case someone leaves illegal content in comments and posts (insults, prohibited political propaganda, etc.). In this case, we ourselves may be prosecuted for the comment or post and are therefore interested in the identity of the author.

Furthermore, we reserve the right to process user data for the purpose of spam detection on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR.

The data provided in the context of comments and contributions will be stored by us permanently until the user objects.

8.2 Retrieval of emojis and smilies

Within our WordPress blog, graphic emojis (or smilies), i.e. small graphic files that express feelings, can be used, which are obtained from external servers. The providers of the servers collect the IP addresses of the users. This is necessary so that the emoji files can be transmitted to the user’s browser. The emoji service is provided by Automattic Inc, 60 29th Street #343, San Francisco, CA 94110, USA. Data protection information from Automattic: https://automattic.com/privacy/. The server domains used are s.w.org and twemoji.maxcdn.com, which, to our knowledge, are so-called content delivery networks, i.e. servers that are only used for the fast and secure transmission of files and the personal data of users is deleted after transmission.

9. contact and customer relations management (CRM)

9.1. General information on making contact and CRM

When contacting us (e.g. by contact form, email, telephone or via social media) and in the context of existing user and business relationships, the data of the inquiring persons are processed insofar as this is necessary to answer the contact inquiries and any requested measures.

The response to contact inquiries and the management of contact and inquiry data in the context of contractual or pre-contractual relationships is carried out to fulfil our contractual obligations or to respond to (pre)contractual inquiries and otherwise on the basis of legitimate interests in responding to inquiries and maintaining user or business relationships.

We process inventory data (e.g. names, addresses); contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms). All our communication partners who use these channels are affected. The purpose of the processing is to respond to contact requests and communication, the provision of contractual services and customer service.

Processing is based on the legal grounds of contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR).

9.2. Further information on processing operations, procedures and services

Contact form

When users contact us via our contact form, email or other communication channels, we process the data provided to us in this context to process the communicated request. For this purpose, we process personal data in the context of pre-contractual and contractual business relationships, insofar as this is necessary for their fulfillment and otherwise on the basis of our legitimate interests as well as the interests of the communication partners in responding to the concerns and our statutory retention obligations.

reCAPTCHA

We integrate the “reCAPTCHA” function in order to be able to recognize whether entries (e.g. in online forms) are made by humans and not by automatically acting machines (so-called “bots”). The processed data may include IP addresses, information on operating systems, devices or browsers used, language settings, location, mouse movements, keyboard strokes, time spent on websites, previously visited websites, interactions with ReCaptcha on other websites, possibly cookies and results of manual recognition processes (e.g. answering questions asked or selecting objects in images). Data processing is carried out on the basis of our legitimate interest in protecting our online offering from abusive automated crawling and spam; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://www.google.com/recaptcha/; Privacy Policy:

https://policies.google.com/privacy; possibility of objection (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://adssettings.google.com/authenticated.

Zendesk

We use the CRM system “Zendesk”, from the provider Zendesk, Inc., 989 Market Street #300, San Francisco, CA 94102, USA, in order to be able to process user inquiries more quickly and efficiently (legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR).

Zendesk only uses the user’s data for the technical processing of inquiries and does not pass it on to third parties. To use Zendesk, it is necessary to provide at least a correct e-mail address. Pseudonymous use is possible. In the course of processing service requests, it may be necessary to collect further data (e.g. name, address, telephone number). The use of Zendesk is optional and serves to improve and accelerate our customer and user service.

If users do not agree to the collection of data via and storage of data in Zendesk’s external system, we offer them alternative contact options for submitting service requests by email, telephone, fax or post.

Website: https://www.zendesk.de; Privacy Policy: https://www.zendesk.de/company/customers-partners/privacy-policy/; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): Binding internal data protection regulations as a basis for US data transfers: https://www.zendesk.de/company/privacy-and-data-protection/#data-processing-agreement.

The US company Zendesk, Inc. is also certified under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

10. Newsletter

10.1. General information on sending newsletters

With the following information we inform you about the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedure and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the procedures described.

Content of the newsletter: We only send newsletters, emails and other electronic notifications containing advertising information (hereinafter referred to as ‘newsletters’) with the consent of the recipient or with legal authorisation. If the content of the newsletter is specifically described when registering for the newsletter, it is decisive for the user’s consent. Otherwise, our newsletters contain information about our services and us.

Double opt-in and logging: Registration for our newsletter takes place in a so-called double opt-in procedure. This means that after registering, you will receive an email asking you to confirm your registration. This confirmation is necessary so that no-one can register with other people’s e-mail addresses. Subscriptions to the newsletter are logged in order to be able to prove the registration process in accordance with the legal requirements.

legal requirements. This includes storing the time of registration and confirmation as well as the IP address. Changes to your data stored by the mailing service provider are also logged.

Registration data: To subscribe to the newsletter, it is sufficient to enter your e-mail address. Optionally, we ask you to provide a name so that we can address you personally in the newsletter.

The newsletter and the performance measurement associated with it are sent on the basis of the recipient’s consent in accordance with Art. 6 para. 1 lit. a, Art. 7 GDPR in conjunction with Section 7 para. 2 no. 3 UWG or on the basis of the legal authorisation in accordance with Section 7 para. 3 UWG.

The logging of the registration process is based on our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR. We are interested in using a user-friendly and secure newsletter system that serves both our business interests and the expectations of users and also allows us to provide proof of consent.

Cancellation/revocation – You can cancel the receipt of our newsletter at any time, i.e. revoke your consent. You will find a link to cancel the newsletter at the end of each newsletter. We may store the unsubscribed e-mail addresses for up to three years on the basis of our legitimate interests before deleting them in order to be able to prove that consent was previously given. The processing of this data is limited to the purpose of a possible defence against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time.

10.2. Measuring the success of newsletters

The newsletters contain a so-called ‘web beacon’, i.e. a pixel-sized file that is retrieved from our server when the newsletter is opened or, if we use a dispatch service provider, from their server. As part of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and time of retrieval, is initially collected.

This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behaviour based on their retrieval locations (which can be determined with the help of the IP address) or the access times. The statistical surveys also include determining whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our endeavour nor, if used, that of the mailing service provider to observe individual users. The analyses serve us much more to recognise the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

10.3. Further information on processing operations, procedures and services

Newsletters can be sent using the mailing service provider Mailjet SAS, 13-13 bis, rue de l’Aubrac, 75012 Paris, France. You can view the data protection provisions of the mailing service provider here: https://www.mailjet.de/privacy-policy/. The shipping service provider is used on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR and an order processing contract pursuant to Art. 28 para. 3 sentence 1 GDPR.

The mailing service provider may use the data of the recipients in anonymised form, i.e. without allocation to a user, to optimise or improve its own services, e.g. to technically optimise the mailing and presentation of the newsletter or for statistical purposes. However, the mailing service provider does not use the data of our newsletter recipients to write to them itself or to pass the data on to third parties.

11. presence in social networks (social media)

11.1. General information on presences in social networks

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce users’ rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles can be created based on user behaviour and the resulting interests of users. The user profiles can in turn be used, for example, to place adverts within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the user’s computer, in which the user’s usage behaviour and interests are stored. Furthermore, data can also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

For a detailed description of the respective forms of processing and the opt-out options, please refer to the data protection declarations and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the user’s data and can take appropriate measures and provide information directly. If you still need help, you can contact us.

All users of the respective social networks are affected (e.g. website visitors, users of online services). The purpose of the processing lies in contact requests and communication, feedback (e.g. collecting feedback via online form), marketing and the processing is based on the legitimate interest (Art. 6 para. 1 sentence 1 lit. f GDPR).

11.2. Further information on processing operations, procedures and services

Facebook pages

With regard to profiles within the social network Facebook, we are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (so-called ‘fan page’). This data includes information about the types of content users view or interact with, or the actions they take (see under ‘Things you and others do and provide’ in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see under ‘Device information’ in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under ‘How do we use this information?’, Facebook also collects and uses information to provide analytics services, known as ‘Page Insights’, for page operators so that they can gain insights into how people interact with their pages and the content associated with them.

We have concluded a special agreement with Facebook (‘Information on Page Insights’, https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must observe and in which Facebook has agreed to fulfil the rights of data subjects (i.e. users can, for example, send information or deletion requests directly to Facebook). The rights of users (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the ‘Information on Page Insights’ (https://www.facebook.com/legal/terms/information_about_page_insights_data); service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum; Further information: Agreement on joint controllership: https://www.facebook.com/legal/terms/information_about_page_insights_data.

LinkedIn

Social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Data processing agreement: https://legal.linkedin.com/dpa; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://legal.linkedin.com/dpa; Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Vimeo

Social network and video platform; Service provider: Vimeo Inc, Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA; Website: https://vimeo.com; Privacy Policy: https://vimeo.com/privacy.

Xing

Social network; Service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; Website: https://www.xing.de; Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung.

YouTube

Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Privacy Policy: https://policies.google.com/privacy; Opt-Out: https://adssettings.google.com/authenticated.

12. Cookies, Google Analytics und Marketing

12.1. Cookies and right to object to direct advertising

Cookies‘ are small files that are stored on users’ computers. Different information can be stored within the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after their visit to an online service. Temporary cookies, or ‘session cookies’ or ‘transient cookies’, are cookies that are deleted after a user leaves an online service and closes their browser. The content of a shopping basket in an online shop or a login status, for example, can be stored in such a cookie. ‘Permanent’ or “persistent” cookies are cookies that remain stored even after the browser is closed. For example, the login status can be saved in order to simplify the login process for the user. The interests of the user can also be stored in such a cookie and used for reach measurement or marketing purposes. ‘Third-party cookies’ are cookies that are offered by providers other than the controller who operates the online service (otherwise, if they are only their cookies, they are referred to as “first-party cookies”). Necessary cookies – also known as essential or absolutely necessary cookies – may be absolutely essential for the operation of a website, e.g. to store logins and/or other user input, or for security reasons. Statistical, marketing and/or personalisation cookies are used, for example, as part of reach measurement when user interest or user behaviour is stored in a user profile. Such cookies are used, for example, to display content to users that matches their potential interests.

We may use temporary and permanent cookies and provide information about this in our privacy policy. Unless we state otherwise regarding the storage period for permanent cookies, the storage period can be up to two years.

The legal basis on which we process personal data with the help of cookies depends on whether you are asked for consent. If you consent to the use of cookies, the legal basis for processing your data is the consent you have given. Otherwise, the data processed with the help of cookies will be processed on the basis of our legitimate interests (e.g. in the commercial operation of our online offering and its improvement) or to fulfil our contractual obligations.

Depending on whether the processing is based on consent or legal authorisation, you have the option at any time to withdraw your previously granted consent or to object to the processing of your data by cookie technologies (‘opt-out’). A general objection to the use of cookies used for online marketing purposes can be declared for a large number of services, especially in the case of tracking, via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.de/. Furthermore, the storage of cookies can be achieved by switching them off in the browser settings. Please note that you may then not be able to use all the functions of this website.

BorlabsCookie

Cookie consent management; Service provider: Borlabs; Website: https://de.borlabs.io/borlabs-cookie/; Further information: An individual user ID, language and types of consent and the time they were given are stored on the server and in the cookie on the user’s device.

Content delivery network from Cloudflare

We use a so-called ‘Content Delivery Network’ (CDN), offered by Cloudflare, Inc, 101 Townsend St, San Francisco, CA 94107, USA. A CDN is a service with the help of which the content of our online offer, in particular large media files such as graphics or scripts, are delivered faster with the help of regionally distributed servers connected via the Internet. User data is processed solely for the aforementioned purposes and to maintain the security and functionality of the CDN. Further information can be found in Cloudflare’s privacy policy: https://www.cloudflare.com/security-policy.

The US company Cloudflare, Inc. is also certified under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

12.2. Use of Google products and related services

12.2.1. Google Analytics

We use Google Analytics, a web analysis service of Google LLC (‘Google’), on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f) GDPR) or user consent. Google uses cookies. The information generated by the cookie about the use of the online offer by the user is usually transmitted to a Google server in the USA and stored there.

Google will use this information on our behalf to analyse the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with further services associated with the use of this online offer and the use of the Internet. Pseudonymised user profiles can be created from the processed data.

We only use Google Analytics with activated IP anonymisation. This means that the IP address of users is truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there.

The IP address transmitted by the user’s browser will not be merged with other Google data. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent Google from collecting the data generated by the cookie and relating to their use of the online offer and from processing this data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

Further information on the use of data by Google, setting and objection options, can be found in Google’s privacy policy (https://policies.google.com/technologies/ads) and in the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).

Furthermore, the parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may also be transferred without further guarantees or additional measures.

12.2.2. Target group formation with Google Analytics

We use Google Analytics to display adverts placed by Google and its partners within advertising services only to those users who have also shown an interest in our online offering or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we transmit to Google (so-called ‘remarketing’ or ‘Google Analytics audiences’). With the help of remarketing audiences, we also want to ensure that our adverts correspond to the potential interest of users.

12.2.3. Google Tag Manager

Google Tag Manager is a solution with which we can manage so-called website tags via an interface (and thus, for example, integrate Google Analytics and other Google marketing services into our online offering). The Tag Manager itself (which implements the tags) does not process any personal user data. With regard to the processing of users’ personal data, please refer to the following information on Google services. Usage guidelines: https://www.google.com/intl/de/tagmanager/use-policy.html.

12.2.4. Google AdWords and conversion measurement

On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. GDPR), we use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (‘Google’). GDPR) the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (‘Google’).

We use the online marketing process Google ‘AdWords’ to place adverts in the Google advertising network (e.g. in search results, in videos, on websites, etc.) so that they are displayed to users who are likely to be interested in the adverts. This allows us to display adverts for and within our online offering in a more targeted manner in order to present users only with adverts that potentially match their interests. If, for example, a user is shown adverts for products that they were interested in on other online offers, this is referred to as ‘remarketing’. For these purposes, when our and other websites on which the Google advertising network is active are accessed, a code from Google is executed directly by Google and so-called (re)marketing tags (invisible graphics or code, also known as ‘web beacons’) are integrated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user’s device (comparable technologies can also be used instead of cookies). This file records which websites the user has visited, which content they are interested in and which offers the user has clicked on, as well as technical information about the browser and operating system, referring websites, time of visit and other information about the use of the online offer.

We also receive an individual ‘conversion cookie’. The information obtained with the help of the cookie is used by Google to create conversion statistics for us. However, we only receive the anonymous total number of users who clicked on our advert and were redirected to a page with a conversion tracking tag. However, we do not receive any information with which users can be personally identified.

User data is processed pseudonymously within the Google advertising network. This means that Google does not store and process the user’s name or email address, for example, but processes the relevant data in relation to cookies within pseudonymised user profiles. This means that, from Google’s perspective, the adverts are not managed and displayed for a specifically identified person, but for the cookie owner, regardless of who this cookie owner is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymisation. The information collected about the user is transmitted to Google and stored on Google’s servers in the USA.

Further information on the use of data by Google, setting and objection options, can be found in Google’s privacy policy (https://policies.google.com/technologies/ads) and in the settings for the display of adverts by Google (https://adssettings.google.com/authenticated).

Furthermore, the parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

12.2.5. Google DoubleClick

We use the Google ‘DoubleClick’ online marketing process to place adverts in the Google advertising network (e.g. in search results, in videos, on websites, etc.). DoubleClick is characterised by the fact that ads are displayed in real time based on the presumed interests of users. This allows us to display adverts for and within our online offering in a more targeted manner in order to present users only with adverts that potentially match their interests. If, for example, a user is shown adverts for products that they were interested in on other online offers, this is referred to as ‘remarketing’. For these purposes, when our and other websites on which the Google advertising network is active are accessed, a code from Google is executed directly by Google and so-called (re)marketing tags (invisible graphics or code, also known as ‘web beacons’) are integrated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user’s device (comparable technologies can also be used instead of cookies). This file records which websites the user has visited, which content they are interested in and which offers the user has clicked on, as well as technical information about the browser and operating system, referring websites, time of visit and other information about the use of the online offer.

The IP address of the user is also recorded, whereby this is shortened within member states of the European Union or in other contracting states of the Agreement on the European Economic Area and only in exceptional cases is it transmitted in full to a Google server in the USA and shortened there. Google may also combine the aforementioned information with such information from other sources. If the user subsequently visits other websites, they may be shown adverts tailored to their interests based on their user profile.

User data is processed pseudonymously within the Google advertising network. This means that Google does not store and process the user’s name or email address, for example, but processes the relevant data in relation to cookies within pseudonymised user profiles. This means that, from Google’s perspective, the adverts are not managed and displayed for a specifically identified person, but for the cookie owner, regardless of who this cookie owner is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymisation. The information collected by Google marketing services about users is transmitted to Google and stored on Google’s servers in the USA.

Further information on the use of data by Google, setting and objection options, can be found in Google’s privacy policy (https://policies.google.com/technologies/ads) and in the settings for the display of adverts by Google (https://adssettings.google.com/authenticated).

Furthermore, the parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

12.2.6. Leadfeeder

We use the Leadfeeder service on the basis of our legitimate interests in data processing pursuant to Article 6(1)(f) GDPR in order to acquire interested parties (leads). Leadfeeder uses the IP addresses of visitors to our website provided via Google Analytics and links these IP addresses with information about the companies that can be found on the Internet under these IP addresses. Because the IP addresses of visitors to our website are truncated by default when Google Analytics is used, no direct personal references are made; Leadfeeder can only be used to deduce the companies as an assumption. Leadfeeder is integrated into our CRM system. Leadfeeder is a service of Liidio Oy, Mikonkatu 17 C, Helsinki 00100, Finland. Website: https://www.leadfeeder.com; Privacy Policy: https://www.leadfeeder.com/privacy; further information on Leadfeeder and compatibility with the General Data Protection Regulation: https://www.leadfeeder.com/leadfeeder-and-gdpr/. You can prevent Leadfeeder from processing data about your use of our site by opting out. You can find more information on this at: https://yourdata.leadfeeder.com/.