Privacy Policy
Preamble
With the following privacy policy we would like to inform you which types of your personal data (hereinafter also abbreviated as "data") we process for which purposes and in which scope. The privacy statement applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online services").
The terms used are not gender-specific.
Last Update: 14. May 2025
Controller
Soft Spaces
Tatjana Rappaccioli Howard
Schumannstr. 56
22083 Hamburg
E-mail address: contact@soft-spaces.de
Legal Notice: soft-spaces.de/impressum
Relevant legal bases
Relevant legal bases according to the GDPR: In the following, you will find an overview of the legal basis of the GDPR on which we base the processing of personal data. Please note that in addition to the provisions of the GDPR, national data protection provisions of your or our country of residence or domicile may apply.
Consent (Article 6 (1) (a) GDPR) - The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Performance of a contract and prior requests (Article 6 (1) (b) GDPR) - Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Compliance with a legal obligation (Article 6 (1) (c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate Interests (Article 6 (1) (f) GDPR) - the processing is necessary for the protection of the legitimate interests of the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject, which require the protection of personal data, do not prevail.
National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations apply to data protection in Germany. This includes in particular the Law on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act - BDSG). In particular, the BDSG contains special provisions on the right to access, the right to erase, the right to object, the processing of special categories of personal data, processing for other purposes and transmission.
Security Precautions
We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input, transmission, securing and separation of the data. In addition, we have established procedures to ensure that data subjects' rights are respected, that data is erased, and that we are prepared to respond to data threats rapidly.
Securing online connections through TLS/SSL encryption technology (HTTPS): To protect the data of users transmitted via our online services from unauthorized access, we employ TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information that is transferred between the website or app and the user's browser (or between two servers), thereby safeguarding the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions conform to the highest security standards.
Transmission of Personal Data
In the course of processing personal data, it may happen that this data is transmitted to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include service providers tasked with IT duties or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements.
International data transfers
Data Processing in Third Countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the context of using third-party services or the disclosure or transfer of data to other individuals, entities, or companies (which becomes apparent either from the postal address of the respective provider or when explicitly mentioned in the privacy policy regarding data transfer to third countries), this is always done in accordance with legal requirements.
For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which has been recognized as a secure legal framework by the EU Commission's adequacy decision of July 10, 2023. Additionally, we have concluded Standard Contractual Clauses with the respective providers, which comply with the EU Commission's requirements and establish contractual obligations to protect your data.
This dual safeguard ensures comprehensive protection of your data: The DPF serves as the primary level of protection, while the Standard Contractual Clauses act as an additional security measure. Should any changes occur within the DPF framework, the Standard Contractual Clauses will serve as a reliable fallback option. This ensures that your data remains adequately protected even in the event of political or legal changes.
For individual service providers, we will inform you whether they are certified under the DPF and if Standard Contractual Clauses are in place. The list of certified companies and further information about the DPF can be found on the U.S. Department of Commerce's website at https://www.dataprivacyframework.gov/.
General Information on Data Retention and Deletion
We delete personal data that we process in accordance with legal regulations as soon as the underlying consents are revoked or no further legal bases for processing exist. This applies to cases where the original purpose of processing is no longer applicable or the data is no longer needed. Exceptions to this rule exist if statutory obligations or special interests require a longer retention or archiving of the data.
In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal prosecution or protection of the rights of other natural or legal persons, must be archived accordingly.
Our privacy notices contain additional information on the retention and deletion of data specifically applicable to certain processing processes.
In cases where multiple retention periods or deletion deadlines for a date are specified, the longest period always prevails.
If a period does not expressly start on a specific date and lasts at least one year, it automatically begins at the end of the calendar year in which the event triggering the period occurred.
Further information on processing methods, procedures and services used:
Data Retention and Deletion: The following general deadlines apply for the retention and archiving according to German law:
10 Years - Fiscal Code/Commercial Code - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheet as well as the necessary work instructions and other organisational documents (Section 147 Paragraph 1 No. 1 in conjunction with Paragraph 3 of the German General Tax Code (AO), Section 14b Paragraph 1 of the German VAT Act (UStG), Section 257 Paragraph 1 No. 1 in conjunction with Paragraph 4 of the German Commercial Code (HGB)).
8 years - Accounting documents, such as invoices, booking and expense receipts (Section 147 Paragraph 1 No. 4 and 4a in conjunction with Paragraph 3 of the German General Tax Code (AO), Section 257 Paragraph 1 No. 4 in conjunction with Paragraph 4 of the German Commercial Code (HGB))
6 Years - Other business documents: received commercial or business letters, copies of dispatched commercial or business letters, and other documents to the extent that they are significant for taxation purposes, for example, hourly wage slips, operating accounting sheets, calculation documents, price tags, as well as payroll accounting documents, provided they are not already accounting vouchers and cash register tapes Section (Section 147 Paragraph 1 No. 2, 3, 5 in conjunction with Paragraph 3 of the German General Tax Code (AO), Section 257 Paragraph 1 No. 2 and 3 in conjunction with Paragraph 4 of the German Commercial Code (HGB)).
3 Years - Data required to consider potential warranty and compensation claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experiences and common industry practices, will be stored for the duration of the regular statutory limitation period of three years. This period begins at the end of the year in which the relevant contractual transaction took place or the contractual relationship ended in the case of ongoing contracts (Sections 195, 199 of the German Civil Code).
Business services
We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as "contractual partners") within the context of contractual and comparable legal relationships as well as associated actions and communication with the contractual partners or pre-contractually, e.g. to answer inquiries.
We process this data in order to fulfill our contractual obligations. These include, in particular, the obligations to provide the agreed services, any update obligations and remedies in the event of warranty and other service disruptions. In addition, we process the data to protect our rights and for the purpose of administrative tasks associated with these obligations and company organization. Furthermore, we process the data on the basis of our legitimate interests in proper and economical business management as well as security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g. for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we only disclose the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about further forms of processing, e.g. for marketing purposes, within the scope of this privacy policy.
Which data are necessary for the aforementioned purposes, we inform the contracting partners before or in the context of the data collection, e.g. in online forms by special marking (e.g. colors), and/or symbols (e.g. asterisks or the like), or personally.
We delete the data after expiry of statutory warranty and comparable obligations, i.e. in principle after expiry of 4 years, unless the data is stored in a customer account or must be kept for legal reasons.
Processed data types: Inventory data; Payment Data (e.g. bank details, invoices, payment; Contact data (e.g. postal and email addresses or phone); Contract data (e.g. contract object, duration); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used). Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers).
Data subjects: Service recipients and clients; Prospective customers. Business and contractual partners.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Security measures; Communication; Office and organisational procedures; Organisational and Administrative Procedures. Business processes and management procedures.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Compliance with a legal obligation (Article 6 (1) (c) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
Online shop, order forms, e-commerce and delivery.: We process the data of our customers in order to enable them to select, purchase or order the selected services, as well as their payment, or performance of other services. For the processing of payment transactions we use the services of banks and payment service providers. The required details are identified as such in the course of the ordering or comparable purchasing process.
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
Therapeutic Services: We process the data of our clients and interested parties and other clients or contractual partners (uniformly referred to as "clients") in order to provide them with our services. The data processed, the type, scope and purpose of their processing and the necessity of their processing are determined by the underlying contractual and client relationship.
Within the scope of our services, we may also process special categories of data, here in particular information on the health of clients, possibly with reference to their sexual life or sexual orientation and data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs. To this end, we obtain the express consent of clients where necessary and process the special categories of data otherwise for the purposes of health care, if the data is public or wit an other legal persmission.
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
Business processes and operations
Personal data of service recipients and clients - including customers, clients, or in specific cases, mandates, patients, or business partners as well as other third parties - are processed within the framework of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relations. This data processing supports and facilitates business processes in areas such as customer management, sales, payment transactions, accounting, and project management.
The collected data is used to fulfil contractual obligations and make business processes efficient. This includes the execution of business transactions, the management of customer relationships, the optimisation of sales strategies, and ensuring internal invoicing and financial processes. Additionally, the data supports the protection of the rights of the controller and promotes administrative tasks as well as the organisation of the company.
Personal data may be transferred to third parties if necessary for fulfilling the mentioned purposes or legal obligations.
Processed data types: Inventory data (For example, the full name, residential address, contact information); Payment Data (e.g. credit card details, invoices, payment sources); Contact data (e.g. postal and email addresses or phone); Contract data (e.g. contract object, duration); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used). Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers).
Data subjects: Service recipients and clients; Prospective customers; Communication partner (Recipients of e-mails, letters, etc.); Business and contractual partners; Third parties; Users (e.g. website visitors); Employees (e.g. employees, job applicants, temporary workers). Customers.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Office and organisational procedures; Business processes and management procedures; Communication; Marketing; Sales promotion; Financial and Payment Management. Information technology infrastructure (Operation and provision of information systems and technical devices, such as computers).
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR). Compliance with a legal obligation (Article 6 (1) (c) GDPR).
Further information on processing methods, procedures and services used:
Customer Management and Customer Relationship Management (CRM): Processes required in the context of customer management and Customer Relationship Management (CRM) include customer acquisition in compliance with data protection regulations, measures to promote customer retention and loyalty, effective customer communication, complaint management and customer service with consideration of data protection, data management and analysis to support the customer.
Legal Basis:Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Contact management and contact maintenance: Processes required in the context of organizing, maintaining, and securing contact information (e.g., setting up and maintaining a central contact database, regular updates of contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, conducting backups and restorations of contact data, training employees in effective use of contact data.
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
General Payment Transactions: Procedures required for carrying out payment transactions, monitoring bank accounts, and controlling payment flows (e.g., creation and verification of transfers, processing of direct debit transactions, checking of account statements, monitoring of incoming and outgoing cashflow.
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Accounting, accounts payable, accounts receivable: Procedures required for the collection, processing, and control of business transactions in the area of accounts payable and receivable accounting (e.g., creation and verification of incoming and outgoing invoices, monitoring and management of outstanding items, execution of payment transactions, handling of dunning processes, account reconciliation within scope)
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Financial Accounting and Taxes: Procedures required for the collection, management, and control of finance-related business transactions as well as for the calculation, reporting, and payment of taxes (e.g., accounting and posting of business transactions, preparation of quarterly and annual financial statements, execution of payment transactions, handling of dunning processes, account reconciliation, taxes)
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Marketing, advertising, and sales promotion: Processes required in the context of marketing, advertising, and sales promotion (e.g., market analysis and audience targeting, development of marketing strategies, planning and execution of advertising campaigns, design and production of advertising materials, online marketing including SEO and social media campaigns, event marketing and trade show participation, customer loyalty programs, sales promotion)
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Use of online platforms for listing and sales purposes
We offer our services on online platforms operated by other service providers. In addition to our privacy policy, the privacy policies of the respective platforms apply. This is particularly true with regard to the payment process and the methods used.
Processed data types: Inventory data (For example, the full name, residential address, contact information); Payment Data (e.g. bank details, invoices, payment details); Contact data (e.g. postal and email addresses or phone); Contract data (e.g. contract object, duration, customer details); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers). Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship).
Data subjects: Service recipients and clients; Business and contractual partners. Users (e.g. website visitors, users of online presence).
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Marketing; Business processes and management procedures. Office and organisational procedures.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
EGYM Wellpass: Fitness and wellness for employees; Service provider: EGYM Wellpass GmbH
Einsteinstraße 172
81677 München; Website: https://us.egym-wellpass.com/en-us. Privacy Policy: https://us.egym-wellpass.com/en-us/privacyUrban Sports Club: Sports and Wellness Offerings; Service provider: Urban Sports GmbH
Voltairestr. 10
10179 Berlin ; Website: https://urbansportsclub.com/de. Privacy Policy: https://urbansportsclub.com/en/privacy-deEventbrite: Event management platform that helps event organisers to organise virtual, face-to-face and hybrid events and offers features for attendee communication, event registration, networking; Service provider: Eventbrite, Inc., 155 5th Street, Floor 7, San Francisco, CA – United States of America.
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.eventbrite.de; Privacy Policy: https://www.eventbrite.de/help/de/articles/460838/datenschutzrichtlinie-von-eventbrite/; Data Processing Agreement: https://www.eventbrite.com/help/en-us/articles/429030/data-processing-addendum-for-organizers/
calendly: Online scheduling and calendar; Service provider: Calendly LLC., 271 17th St NW, Ste 1000, Atlanta, Georgia, United States of America.
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://calendly.com; Privacy Policy: https://calendly.com/pages/privacy; Data Processing Agreement:https://calendly.com/dpa. Basis for third-country transfers: Standard Contractual Clauses (https://calendly.com/dpa), Standard Contractual Clauses (https://calendly.com/dpa).
Payment Procedure
Within the framework of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and use other service providers for this purpose in addition to banks and credit institutions (collectively referred to as "payment service providers").
The data processed by the payment service providers includes inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as the contract, total and recipient-related information. The information is required to carry out the transactions. However, the data entered is only processed by the payment service providers and stored with them. I.e. we do not receive any account or credit card related information, but only information with confirmation or negative information of the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit agencies. The purpose of this transmission is to check identity and creditworthiness. Please refer to the terms and conditions and data protection information of the payment service providers.
Processed data types: Inventory data (For example, the full name, residential address, contact information); Payment Data (e.g. bank details, invoices, payment source); Contract data (e.g. contract object, duration, customer); Contact data (e.g. postal and email addresses or).
Data subjects: Service recipients and clients; Business and contractual partners. Prospective customers.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations. Business processes and management procedures.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
American Express: Payment-Service-Provider (technical integration of online-payment-methods); Service provider: American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main.
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Website: https://www.americanexpress.com/. Privacy Policy: https://www.americanexpress.com/de-de/firma/legal/datenschutz-center/?inav=de_legalfooter_privacycenter
Mastercard: Payment-Service-Provider (technical integration of online-payment-methods); Service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium.
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Website: https://www.mastercard.co.uk. Privacy Policy: https://www.mastercard.co.uk/en-gb/vision/terms-of-use/commitment-to-privacy/privacy.html
PayPal: Payment-Service-Provider (technical integration of online-payment-methods); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L 2449 Luxembourg.
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Website:https://www.paypal.com. Privacy Policy: https://www.paypal.com/de/legalhub/paypal/privacy-full
Visa: Payment-Service-Provider (technical integration of online-payment-methods); Service provider: Visa Europe Services Inc., Zweigniederlassung London, 1 Sheldon Square, London W2 6TT United Kingdom.
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Website: https://www.visa.de. Privacy Policy:https://www.visa.de/datenschutz.
Provision of online services and web hosting
We process user data in order to be able to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the content and functions of our website.
Processed data types: Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved); Log data (e.g. log files concerning logins or data retrieval). Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship).
Data subjects: Users (e.g. website visitors, users of online content).
Purposes of processing: Provision of our online services and usability; Information technology infrastructure (Operation and provision of information systems and technical devices, such as computers); Security measures; Web Analytics (e.g. access statistics, recognition of); Conversion tracking (Measurement of the effectiveness of marketing). Server monitoring and error detection.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
Provision of online offer on rented hosting space: For the provision of our online services, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Collection of Access Data and Log Files: Access to our online service is logged in the form of so-called "server log files". Server log files may include the address and name of the accessed web pages and files, date and time of access, transferred data volumes, notification of successful retrieval, browser type along with version, the user's operating system, referrer URL (the previously visited page), and typically IP addresses and the requesting provider. The server log files can be used for security purposes.
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR). Retention period: http://Bitte Lizenz erwerben.
E-mail Sending and Hosting: The web hosting services we use also include sending, receiving and storing e-mails. For these purposes, the addresses of the recipients and senders, as well as other information relating to the sending of e-mails (e.g. the providers involved) and the contents of the respective e-mails are processed. The above data may also be processed for SPAM detection purposes. Please note that e-mails on the Internet are generally not sent in encrypted form.
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Squarespace: Squarespace offers Software as a Service for the creation and hosting of websites; Service provider: Squarespace Ireland Ltd., Le Pole House, Ship Street Great, Dublin 8, Ireland
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.squarespace.com; Privacy Policy:https://www.squarespace.com/privacy; Data Processing Agreement: https://www.squarespace.com/dpa. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.squarespace.com/dpa), Data Privacy Framework (DPF)Standard Contractual Clauses (https://www.squarespace.com/dpa).
Use of Cookies
The term "cookies" refers to functions that store information on users' devices and read it from them. Cookies can also be used for different purposes, such as ensuring the functionality, security, and convenience of online services, as well as analyzing visitor traffic. We use cookies in accordance with legal regulations. If necessary, we obtain users' consent in advance. If consent is not required, we rely on our legitimate interests. This applies when storing and reading information is essential to provide explicitly requested content and functions. This includes, for example, saving settings and ensuring the functionality and security of our online services. Consent can be withdrawn at any time. We clearly inform users about the scope of the consent and which cookies are used.
Information on legal data protection bases: Whether we process personal data using cookies depends on users' consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests, as outlined in this section and in the context of the respective services and procedures.
Storage duration: The following types of cookies are distinguished based on their storage duration:
Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their device (e.g., browser or mobile application).
Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be saved, and preferred content can be displayed directly when the user revisits a website. Additionally, the user data collected with cookies may be used for audience measurement. Unless we provide information.
Processed data types: Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers).
Data subjects: Users (e.g. website visitors, users of online content).
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR). Consent (Article 6 (1) (a) GDPR).
Further information on processing methods, procedures and services used:
Processing Cookie Data on the Basis of Consent: We implement a consent management solution that obtains users' consent for the use of cookies or for the processes and providers mentioned within the consent management framework. This procedure is designed to solicit, log, manage, and revoke consents, particularly regarding the use of cookies and similar technologies employed to store, read from, and process information on users' devices. As part of this procedure, user consents are obtained for the use of cookies and the associated processing of information, including specific processing and providers named in the consent management process. Users also have the option to manage and withdraw their consents. Consent declarations are stored to avoid repeated queries and to provide proof of consent according to legal requirements. The storage is carried out server-side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies in order to associate the consent with a specific user or their device.
Legal Basis: Consent (Article 6 (1) (a) GDPR).
Contact and Inquiry Management
When contacting us (e.g. via mail, contact form, e-mail, telephone or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer details); Contact data (e.g. postal and email addresses or phone); Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used). Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers).
Data subjects: Communication partner (Recipients of e-mails, letters, etc.).
Purposes of processing: Communication; Organisational and Administrative Procedures; Feedback (e.g. collecting feedback via online form). Provision of our online services and usability.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR). Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
Further information on processing methods, procedures and services used:
Contact form: Upon contacting us via our contact form, email, or other means of communication, we process the personal data transmitted to us for the purpose of responding to and handling the respective matter. This typically includes details such as name, contact information, and possibly additional information provided to us that is necessary for appropriate processing
Legal Basis:Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Video Conferences, Online Meetings, Webinars and Screen-Sharing
We use platforms and applications of other providers (hereinafter referred to as "Conference Platforms") for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as "Conference"). When using the Conference Platforms and their services, we comply with the legal requirements.
Data processed by Conference Platforms: In the course of participation in a Conference, the Data of the participants listed below are processed. The scope of the processing depends, on the one hand, on which data is requested in the context of a specific Conference (e.g., provision of access data or clear names) and which optional information is provided by the participants. In addition to processing for the purpose of conducting the conference, participants' Data may also be processed by the Conference Platforms for security purposes or service optimization. The processed Date includes personal information (first name, last name), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, information on professional position/function, the IP address of the internet access, information on the participants' end devices, their operating system, the browser and its technical and linguistic settings, information on the content-related communication processes, i.e. entries in chats and audio and video data, as well as the use of other available functions (e.g. surveys). The content of communications is encrypted to the extent technically provided by the conference providers. If participants are registered as users with the Conference Platforms, then further data may be processed in accordance with the agreement with the respective Conference Provider.
Logging and recording: If text entries, participation results (e.g. from surveys) as well as video or audio recordings are recorded, this will be transparently communicated to the participants in advance and they will be asked - if necessary - for their consent.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer details); Contact data (e.g. postal and email addresses or phone); Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used); Images and/ or video recordings (e.g. photographs or video recordings of a meeting or a session); Audio recordings. Log data (e.g. log files concerning logins or data retrieval).
Data subjects: Communication partner (Recipients of e-mails, letters, etc.); Users (e.g. website visitors, users of online content). Persons depicted.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Communication. Office and organisational procedures.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
Google Hangouts / Meet: Conference and communication software; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin D04 E5W5, Ireland.
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://hangouts.google.com/; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://cloud.google.com/terms/eu-model-contract-clause), Data Privacy Framework (DPF)Standard Contractual Clauses (https://cloud.google.com/terms/eu-model-contract-clause).
Newsletter and Electronic Communications
We send newsletters, emails, and other electronic notifications (hereinafter "newsletters") exclusively with the consent of the recipients or based on a legal basis. If the contents of the newsletter are specified during registration for the newsletter, these contents are decisive for the users' consent. Normally, providing your email address is sufficient to sign up for our newsletter. However, to offer you a personalised service, we may ask for your name for personal salutation in the newsletter or for additional information if necessary for the purpose of the newsletter.
Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to be able to demonstrate previously given consent. The processing of these data is limited to the purpose of potentially defending against claims. An individual request for deletion is possible at any time, provided that at the same time the former existence of consent is confirmed. In case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose.
Contents:
Information about us, our services, promotions and offers.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer details); Contact data (e.g. postal and email addresses or phone); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers). Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used).
Data subjects: Communication partner (Recipients of e-mails, letters, etc.). Users (e.g. website visitors, users of online content).
Purposes of processing: Direct marketing (e.g. by e-mail or postal). Provision of contractual services and fulfillment of contractual obligations.
Legal Basis: Consent (Article 6 (1) (a) GDPR).
Opt-Out: You can cancel the receipt of our newsletter at any time, i.e. revoke your consent or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or you can otherwise use one of the contact options listed above, preferably e-mail.
Further information on processing methods, procedures and services used:
Measurement of opening rates and click rates: The newsletters contain a so-called "web beacons", which is a pixel-sized file that is retrieved from our server, or the server of the dispatch service provider if one is used, when the newsletter is opened. In the course of this retrieval, technical information such as details about the browser and your system, as well as your IP address and the time of access are collected. This information is used to technically improve our newsletter based on technical data or target audiences and their reading behavior, which can be determined by their access locations (identifiable by IP address) or access times. This analysis also includes determining whether and when newsletters are opened and which links are clicked. The information is assigned to individual newsletter recipients and stored in their profiles until deletion. The evaluations serve to recognize the reading habits of our users and adjust our content to them or send different content according to the interests of our users.
Legal Basis: Consent (Article 6 (1) (a) GDPR).
Prerequisite for the use of free services: Consent to the sending of mailings can be made dependent on the use of free services (e.g. access to certain content or participation in certain campaigns) as a prerequisite. If the users would like to take advantage of the free service without depending on this consent, we can be manually contacted about that.
Order process reminder emails: When users cancel an order process, we can send them a notice of the cancellation and remind them to continue. This function can be useful, for example, if the purchase process could not be continued due to a browser crash, oversight or forgetting.
Legal Basis: Consent (Article 6 (1) (a) GDPR).
Commercial communication by E-Mail, Postal Mail, Fax or Telephone
We process personal data for the purposes of promotional communication, which may be carried out via various channels, such as e-mail, telephone, post or fax, in accordance with the legal requirements.
The recipients have the right to withdraw their consent at any time or to object to the advertising communication at any time.
After revocation or objection, we store the data required to prove the past authorization to contact or send up to three years from the end of the year of revocation or objection on the basis of our legitimate interests. The processing of this data is limited to the purpose of a possible defense against claims. We work based on the legitimate interest to permanently observe the revocation.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer); Contact data (e.g. postal and email addresses or phone). Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship).
Data subjects: Communication partner (Recipients of e-mails, letters, etc.).
Purposes of processing: Direct marketing (e.g. by e-mail or postal); Marketing. Sales promotion.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Legal Basis: Consent (Article 6 (1) (a) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Web Analysis, Monitoring and Optimization
Web analytics (also referred to as "reach measurement") is used to evaluate the visitor flows of our online services and may include pseudonymous values related to visitor behavior, interests, or demographic information such as age or gender. Through reach analysis, we can, for example, identify when our online services or their functions and content are most frequently used or likely to encourage repeat visits. It also enables us to determine which areas need optimization.
In addition to web analytics, we may also use testing procedures to test and optimize different versions of our online services or their components.
Unless otherwise specified below, profiles (i.e., data combined from a usage process) may be created for these purposes, and information can be stored in and later retrieved from a browser or device. The data collected includes, in particular, visited websites and elements used on them, as well as technical information such as the browser used, the computer system, and information about usage times. If users have given consent to the collection of their location data to us or to the providers of the services we use, the processing of location data is also possible.
Additionally, users' IP addresses are stored. However, we use an IP masking process (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear user data (such as email addresses or names) is stored as part of web analytics, A/B testing, or optimization. Instead, pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of the users.
Processed data types: Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used). Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers).
Data subjects: Users (e.g. website visitors, users of online content).
Purposes of processing: Web Analytics (e.g. access statistics, recognition of returning users); Profiles with user-related information (Creating user profiles); Provision of our online services and usability; Conversion tracking (Measurement of the effectiveness of marketing). Server monitoring and error detection.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion". Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a while).
Security measures: IP Masking (Pseudonymization of the IP address).
Legal Basis: Consent (Article 6 (1) (a) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
Google Analytics: We use Google Analytics to perform measurement and analysis of the use of our online services by users based on a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It is used to assign analysis information to an end device in order to recognize which content users have accessed within one or various usage processes, which search terms they have used, have accessed again or have interacted with our online services. Likewise, the time of use and its duration are stored, as well as the sources of users referring to our online services and technical aspects of their end devices and browsers.
In the process, pseudonymous profiles of users are created with information from the use of various devices, and cookies may be used. Google Analytics does not log or store individual IP addresses. Analytics does provide coarse geo-location data by deriving the following metadata from IP addresses: City (and the derived latitude, and longitude of the city), Continent, Country, Region, Subcontinent (and ID-based counterparts); Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin D04 E5W5, Ireland
Legal Basis: Consent (Article 6 (1) (a) GDPR); Website: https://hangouts.google.com/; Security measures: IP Masking (Pseudonymization of the IP address); Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum; Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms), Data Privacy Framework (DPF)Standard Contractual Clauses ( https://business.safety.google/adsprocessorterms)
Squarespace: Squarespace offers Software as a Service for the creation and hosting of websites; Service provider: Squarespace Ireland Ltd., Le Pole House, Ship Street Great, Dublin 8, Ireland
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.squarespace.com; Privacy Policy:https://www.squarespace.com/privacy; Data Processing Agreement: https://www.squarespace.com/dpa. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.squarespace.com/dpa), Data Privacy Framework (DPF)Standard Contractual Clauses (https://www.squarespace.com/dpa).
Profiles in Social Networks (Social Media)
We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.
We would like to point out that user data may be processed outside the European Union. This may entail risks for users, e.g. by making it more difficult to enforce users' rights.
In addition, user data is usually processed within social networks for market research and advertising purposes. For example, user profiles can be created on the basis of user behaviour and the associated interests of users. The user profiles can then be used, for example, to place advertisements within and outside the networks which are presumed to correspond to the interests of the users. For these purposes, cookies are usually stored on the user's computer, in which the user's usage behaviour and interests are stored. Furthermore, data can be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective networks or will become members later on).
For a detailed description of the respective processing operations and the opt-out options, please refer to the respective data protection declarations and information provided by the providers of the respective networks.
Processed data types: Contact data (e.g. postal and email addresses or phone); Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship). Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used).
Data subjects: Users (e.g. website visitors, users of online content).
Purposes of processing: Communication; Feedback (e.g. collecting feedback via online form). Public relations.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
Instagram: Social network, allows the sharing of photos and videos, commenting on and favouriting posts, messaging, subscribing; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 H0C9 Ireland
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Basis for third-country transfers: Data Privacy Framework (DPF), Data Privacy Framework (DPF).
Facebook Pages: Profiles within the social network Facebook - We are jointly responsible (so called "joint controller") with Meta Platforms Ireland Limited for the collection (but not the further processing) of data of visitors to our Facebook page. This data includes information about the types of content users view or interact with, or the actions they take (see "Things that you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), and information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie information; see "Device Information" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under "How we use this information?" Facebook also collects and uses information to provide analytics services, known as "page insights," to site operators to help them understand how people interact with their pages and with content associated with them. We have concluded a special agreement with Facebook ("Information about Page-Insights", https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular the security measures that Facebook must observe and in which Facebook has agreed to fulfill the rights of the persons concerned (i.e. users can send information access or deletion requests directly to Facebook). The rights of users (in particular to access to information, erasure, objection and complaint to the competent supervisory authority) are not restricted by the controller.
Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 H0C9 Ireland
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.facebook.com; Privacy Policy:https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum), Data Privacy Framework (DPF)Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).
Facebook events: Event profiles within the social network Facebook - We use the "Events" function of the Facebook platform to refer to events and dates as well as to get in touch with users (participants and interested parties) and to exchange information. In doing so, we process personal data of the users of our event pages, as far as this is necessary for the purpose of the event page as well as its moderation. These data include information on first and last names, as well as published or privately communicated content, as well as values on the status of participation and the time information on the aforementioned data. Furthermore, we refer to the processing of data of users by Facebook itself. This data includes information about the types of content users view or interact with, or the actions they take (see under "Things You and Others Do and Provide" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices users use (e.g., IP addresses, operating system, browser type, language settings, cookie data; see under "Device Information" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/).
Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 H0C9 Ireland
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF), Data Privacy Framework (DPF).
LinkedIn: Social network - We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of visitor data, which is used to create "Page Insights" (statistics) for our LinkedIn profiles. This data includes information about the types of content users view or interact with, as well as the actions they take. It also includes details about the devices used, such as IP addresses, operating systems, browser types, language settings, and cookie data, as well as profile details of users, such as job function, country, industry, seniority, company size, and employment status. Privacy information regarding the processing of user data by LinkedIn can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy.
We have entered into a special agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum," https://legal.linkedin.com/pages-joint-controller-addendum), which specifically regulates the security measures LinkedIn must comply with and in which LinkedIn has agreed to fulfill the rights of data subjects (i.e., users can, for example, direct requests for information or deletion directly to LinkedIn). The rights of users (particularly the right to information, deletion, objection, and to lodge a complaint with the competent supervisory authority) are not restricted by our agreements with LinkedIn.Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://de.linkedin.com/legal/privacy-policy ; Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa), Data Privacy Framework (DPF)Standard Contractual Clauses (https://legal.linkedin.com/dpa).
Plugins and embedded functions and content
Within our online services, we integrate functional and content elements that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may, for example, be graphics, videos or city maps (hereinafter uniformly referred to as "Content").
The integration always presupposes that the third-party providers of this content process the IP address of the user, since they could not send the content to their browser without the IP address. The IP address is therefore required for the presentation of these contents or functions. We strive to use only those contents, whose respective offerers use the IP address only for the distribution of the contents. Third parties may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies.
Processed data types: Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used). Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers).
Data subjects: Users (e.g. website visitors, users of online content).
Purposes of processing: Provision of our online services and usability.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion". Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a longer period of time).
Legal Basis: Consent (Article 6 (1) (a) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
Google Fonts (Provision on own server): Provision of font files for the purpose of a user-friendly presentation of website content; Service provider: The Google Fonts are hosted on our server.
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Adobe Fonts: Provision of fonts for integration into web and print designs, synchronisation of fonts across devices, access to a library of licensed fonts for creative projects; Service provider: Adobe Systems Software Ireland, 4-6, Riverwalk Drive, Citywest Business Campus, Brownsbarn, Dublin 24, D24 DCW0
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.adobe.com; Privacy Policy:https://www.adobe.com/de/privacy.html; Basis for third-country transfers: Data Privacy Framework (DPF), Data Privacy Framework (DPF).