Privacy Policy

Table of Contents

• Controller
• Overview of Processing Activities
• Relevant Legal Bases
• Security Measures
• Transfer of Personal Data
• International Data Transfers
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Business Services
• Provision of the Online Offer and Web Hosting
• Use of Cookies
• Blogs and Publication Media
• Contact and Request Management
• Newsletter and Electronic Notifications
• Web Analytics, Monitoring and Optimisation
• Presence on Social Networks (Social Media)
• Plugins and Embedded Functions and Content

Controller

Head office:
Fresh Nuts GmbH
Pinkertweg 10
22113 Hamburg
Germany

Production site:
Fresh Nuts GmbH
Rögen 42
23843 Bad Oldesloe
Germany

Authorised representative: Mr. Kadir Kilic

Email address: info@meray.eu

Overview of Processing Activities

The following overview summarises the types of data processed and the purposes of their processing and refers to the categories of data subjects.

Types of data processed

• Inventory data.
• Payment data.
• Location data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication and process data.
• Log data.

Categories of data subjects

• Service recipients and clients.
• Prospective customers.
• Communication partners.
• Users.
• Business and contractual partners.

Purposes of processing

• Provision of contractual services and fulfilment of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Reach measurement.
• Tracking.
• Office and organisational procedures.
• Audience building.
• Organisational and administrative procedures.
• Feedback.
• Marketing.
• Profiles with user-related information.
• Provision of our online offer and user-friendliness.
• Information technology infrastructure.
• Public relations.
• Business processes and commercial procedures.

Relevant Legal Bases

Relevant legal bases under the GDPR: The following provides an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection provisions may apply in your or our country of residence or domicile. Where more specific legal bases are relevant in individual cases, we will inform you of these in this Privacy Policy.

• Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of personal data concerning them for one or more specific purposes.
• Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection rules in Germany: In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transfer as well as automated decision-making in individual cases, including profiling. Furthermore, the data protection laws of the individual federal states may apply.

Note on the applicability of the GDPR and the Swiss FADP: These data protection notices serve both to provide information under the Swiss Federal Act on Data Protection (FADP) and under the General Data Protection Regulation (GDPR). For this reason, please note that, due to the broader territorial applicability and better comprehensibility, the terms of the GDPR are used. In particular, instead of the terms used in the Swiss FADP such as “processing” of “personal data”, “overriding interest” and “sensitive personal data”, we use the terms “processing” of “personal data”, “legitimate interest” and “special categories of data” as used in the GDPR. The legal meaning of the terms, however, remains determined by the Swiss FADP where it applies.

Security Measures

We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, implementation costs and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, transfer, securing availability and separation of the data. Furthermore, we have established procedures to ensure the exercise of data subjects’ rights, the deletion of data and responses to data threats. We also take into account the protection of personal data when developing or selecting hardware, software and processes, in accordance with the principle of data protection by design and by default.

Transfer of Personal Data

In the course of processing personal data, it may occur that such data is transferred to other entities, companies, legally independent organisational units or individuals, or disclosed to them. Recipients of this data may include, for example, service providers entrusted with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

International Data Transfers

Data processing in third countries: Where we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this occurs in the context of the use of services of third parties or the disclosure or transfer of data to other persons, bodies or companies (which can be recognised by the postal address of the respective provider or where this Privacy Policy expressly refers to data transfers to third countries), this is always carried out in accordance with the legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognised as a secure legal framework by an adequacy decision of the EU Commission dated 10 July 2023. In addition, we have concluded Standard Contractual Clauses with the respective providers, which comply with the requirements of the EU Commission and establish contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: the DPF forms the primary level of protection, while the Standard Contractual Clauses serve as an additional safeguard. Should any changes occur in the context of the DPF, the Standard Contractual Clauses act as a reliable fall-back option. In this way, we ensure that your data remains adequately protected even in the event of political or legal changes.

In the case of individual service providers, we inform you whether they are certified under the DPF and whether Standard Contractual Clauses are in place. Further information on the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, corresponding safeguards apply, in particular Standard Contractual Clauses, explicit consent or transfers required by law. Information on transfers to third countries and applicable adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal requirements as soon as the underlying consents are revoked or there are no longer any other legal grounds for the processing. This applies in particular where the original purpose of processing no longer applies or the data is no longer required for the purpose. Exceptions apply where legal obligations or particular interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for the establishment, exercise or defence of legal claims or for the protection of the rights of other natural or legal persons must be archived accordingly.

Our data protection notices contain additional information on the retention and deletion of data that is specific to particular processing operations.

Where there are multiple indications of retention periods or deletion deadlines for particular data, the longest period is decisive. Data that is no longer required for the original purpose but is retained on the basis of legal requirements or other reasons will only be processed for the reasons that justify its retention.

Retention and deletion of data: The following general periods apply for retention and archiving under German law:

• 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheet and the working instructions and other organisational documents required to understand these (§ 147(1)(1) in conjunction with (3) AO, § 14b(1) UStG, § 257(1)(1) in conjunction with (4) HGB).
• 8 years – Accounting records, such as invoices and cost receipts (§ 147(1)(4) and (4a) in conjunction with (3) sentence 1 AO and § 257(1)(4) in conjunction with (4) HGB).
• 6 years – Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents insofar as they are relevant for taxation, such as time sheets, cost accounting sheets, calculation documents, price labels, but also payroll documents insofar as they are not already accounting records, and till receipts (§ 147(1)(2), (3), (5) in conjunction with (3) AO, § 257(1)(2) and (3) in conjunction with (4) HGB).
• 3 years – Data required to take account of potential warranty and damages claims or similar contractual claims and rights, and to process related enquiries, based on past business experience and usual industry practices, is stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, in particular those arising from Art. 15 to 21 GDPR:

• Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw consent you have given at any time.
• Right of access: You have the right to obtain confirmation as to whether or not data concerning you is being processed and, where that is the case, to obtain access to such data and further information and a copy of the data in accordance with legal requirements.
• Right to rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the rectification of inaccurate data concerning you.
• Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request that data concerning you be erased without undue delay, or, alternatively, to request restriction of processing of the data in accordance with legal requirements.
• Right to data portability: You have the right to receive the data concerning you that you have provided to us in a structured, commonly used and machine-readable format, or to request its transmission to another controller, in accordance with legal requirements.
• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

Business Services

We process data of our contractual and business partners, e.g. customers and prospective customers (collectively referred to as “contractual partners”), in the context of contractual and comparable legal relationships and associated measures, and with regard to communication with the contractual partners (including pre-contractually), e.g. for responding to enquiries.

We use this data to fulfil our contractual obligations. These include, in particular, obligations to provide the agreed services, any update obligations and remedial measures in the event of warranty and other performance issues. In addition, we use the data to safeguard our rights and for administrative tasks associated with these obligations and for business organisation. We also process the data on the basis of our legitimate interests in proper and efficient business management and in security measures to protect our contractual partners and our business operations from misuse, threats to their data, secrets, information and rights (e.g. involving telecommunications, transport and other ancillary services as well as subcontractors, banks, tax and legal advisers, payment service providers or tax authorities). In accordance with applicable law, we only pass on the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or for compliance with legal obligations. Contractual partners are informed of other forms of processing, e.g. for marketing purposes, within this Privacy Policy.

We inform contractual partners which data is required for the above purposes before or during data collection, e.g. in online forms, by special marking (e.g. colours) or symbols (e.g. asterisks or similar), or personally.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e. generally after four years, unless the data is stored in a customer account, for example because it must be retained for archiving purposes for legal reasons (typically ten years for tax purposes). Data disclosed to us by the contractual partner in the context of an order will be deleted in accordance with the specifications and, as a rule, after completion of the order.

• Types of data processed: Inventory data (e.g. full name, residential address, contact details, customer number, etc.); Payment data (e.g. bank details, invoices, payment history); Contact data (e.g. postal and email addresses or telephone numbers); Contract data (e.g. subject matter of the contract, term, customer category); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Service recipients and clients; Prospective customers; Business and contractual partners.
• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; Security measures; Communication; Office and organisational procedures; Organisational and administrative procedures; Business processes and commercial procedures.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing operations, procedures and services:

• Online shop, order forms, e-commerce and performance of services: We process the data of our customers to enable them to select and purchase the chosen products, goods and related services as well as their payment and delivery or execution. Where necessary for the performance of an order, we use service providers, in particular postal, forwarding and shipping companies, to carry out the delivery or execution to our customers. For processing payments, we use the services of banks and payment service providers. The required information is marked as such during the order or comparable purchase process and includes the information needed for delivery or provision and invoicing, as well as contact details to enable any queries to be answered; Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR).

Provision of the Online Offer and Web Hosting

We process users’ data in order to provide them with our online services. For this purpose, we process the users’ IP address, which is necessary to deliver the content and functions of our online services to the user’s browser or device.

• Types of data processed: Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved); Log data (e.g. log files relating to logins or the retrieval of data or access times).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offer and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices such as computers, servers, etc.); Security measures.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing operations, procedures and services:

• Collection of access data and log files: Access to our online offer is logged in the form of so-called “server log files”. The server log files may include the address and name of the retrieved web pages and files, date and time of retrieval, data volumes transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used, on the one hand, for security purposes, e.g. to avoid overloading the servers (particularly in the event of misuse attacks, so-called DDoS attacks), and, on the other hand, to ensure the utilisation and stability of the servers; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum period of 30 days and then deleted or anonymised. Data whose further retention is required for evidence purposes is exempt from deletion until the respective incident has been finally clarified.

Use of Cookies

The term “cookies” is used to describe functions that store and read information on users’ devices. Cookies can serve different purposes, for example to ensure the functionality, security and convenience of online offers, and to create analyses of visitor flows. We use cookies in accordance with the legal requirements. Where necessary, we first obtain the users’ consent. Where consent is not required, we rely on our legitimate interests. This is the case where storage and reading of information is essential in order to provide content and functions expressly requested. This includes, for example, storing settings as well as ensuring the functionality and security of our online offer. Consent can be withdrawn at any time. We clearly inform users about the scope and which cookies are used.

Notes on data protection legal bases: Whether we process personal data using cookies depends on whether user consent is required. Where consent is required, it serves as the legal basis. Where consent is not required, we rely on our legitimate interests as explained in this section and in the context of the respective services and procedures.

Storage duration: With regard to the storage duration, the following types of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their device (e.g. browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the device has been closed. This enables, for example, a login status to be saved and preferred content to be displayed directly when a user revisits a website. Likewise, user data collected by means of cookies can be used for reach measurement. Unless we provide explicit information on the type and storage duration of cookies (e.g. as part of obtaining consent), users should assume that cookies are permanent and that the storage duration can be up to two years.

General notes on withdrawal and objection (opt-out): Users can withdraw the consents they have given at any time and, in addition, object to processing in accordance with legal requirements, including through the privacy settings of their browser.

• Types of data processed: Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Users (e.g. website visitors, users of online services).
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Consent (Art. 6(1)(a) GDPR).

Further notes on processing operations, procedures and services:

• Processing of cookie data on the basis of consent: We use a consent management solution through which we obtain users’ consent to the use of cookies or to the procedures and providers listed in the consent management solution. This procedure serves to obtain, log, manage and withdraw consents, in particular with regard to the use of cookies and similar technologies that are used to store, read and process information on users’ devices. As part of this procedure, users’ consents to the use of cookies and the associated processing of information, including the specific processing operations and providers specified in the consent management procedure, are obtained. Users also have the option to manage and withdraw their consents. The declarations of consent are stored in order to avoid repeated requests and to be able to provide proof of consent in accordance with legal requirements. Storage is carried out server-side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies to be able to assign the consent to a specific user or device. Unless specific details of providers of consent management services are provided, the following general information applies: The storage period for consent is up to two years. A pseudonymous user identifier is created which is stored together with the time of consent, information on the scope of consent (e.g. relevant categories of cookies and/or service providers) and information about the browser, system and device used; Legal bases: Consent (Art. 6(1)(a) GDPR).

Blogs and Publication Media

We use blogs or comparable means of online communication and publication (hereinafter “publication medium”). The data of readers is processed for the purposes of the publication medium only insofar as this is necessary for its presentation and communication between authors and readers or for security reasons. For the rest, we refer to the information on processing of visitors to our publication medium set out in this Privacy Policy.

• Types of data processed: Inventory data (e.g. full name, residential address, contact details, customer number, etc.); Contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. textual or visual messages and posts and the related information, such as details of authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Feedback (e.g. collecting feedback via online form); Provision of our online offer and user-friendliness; Security measures; Organisational and administrative procedures.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing operations, procedures and services:

• Comments and posts: When users leave comments or other posts, their IP addresses may be stored on the basis of our legitimate interests. This is for our security in case someone leaves unlawful content (insults, prohibited political propaganda, etc.) in comments and posts. In such cases, we may be held liable for the comment or post and are therefore interested in the identity of the author. Furthermore, we reserve the right, on the basis of our legitimate interests, to process user information for the purposes of spam detection.
  
  On the same legal basis, we reserve the right, in the case of surveys, to store users’ IP addresses for the duration of the surveys and to use cookies to prevent multiple votes.
  
  The personal information provided in the context of comments and posts, any contact and website details as well as the content data will be stored by us until users object; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Contact and Request Management

When contacting us (e.g. by post, contact form, email, telephone or via social media) and within the context of existing user and business relationships, we process the information provided by the enquiring persons to the extent necessary for responding to contact enquiries and any requested measures.

• Types of data processed: Inventory data (e.g. full name, residential address, contact details, customer number, etc.); Contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. textual or visual messages and posts and the related information, such as details of authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Communication partners.
• Purposes of processing: Communication; Organisational and administrative procedures; Feedback (e.g. collecting feedback via online form); Provision of our online offer and user-friendliness.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR).

Further notes on processing operations, procedures and services:

• Contact form: When contacting us via our contact form, email or other means of communication, we process the personal data transmitted to us in order to respond to and handle the respective request. This generally includes information such as name, contact details and, if applicable, further information that is communicated to us and is necessary for the appropriate handling of the request. We use this data exclusively for the stated purpose of contact and communication; Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Newsletter and Electronic Notifications

We send newsletters, emails and other electronic notifications (hereinafter “newsletter”) only with the recipients’ consent or on the basis of a legal permission. Where the content of the newsletter is described in the context of signing up, this content is decisive for the users’ consent. For signing up to our newsletter, it is usually sufficient to provide your email address. However, in order to offer you a personalised service, we may ask you for your name for a personal salutation in the newsletter or for further information, where this is necessary for the purpose of the newsletter.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them to be able to prove that consent was previously given. The processing of this data is restricted to the purpose of potentially defending claims. An individual deletion request is possible at any time, provided that the previous existence of consent is confirmed at the same time. Where we are obliged to permanently observe objections, we reserve the right to store the email address solely for this purpose in a suppression list (so-called “blocklist”).

The logging of the registration procedure is carried out on the basis of our legitimate interests for the purpose of proving its proper execution. Where we commission a service provider with sending emails, this is done on the basis of our legitimate interests in an efficient and secure mailing system.

Content:
Information about us, our services, promotions and offers.

• Types of data processed: Inventory data (e.g. full name, residential address, contact details, customer number, etc.); Contact data (e.g. postal and email addresses or telephone numbers); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
• Data subjects: Communication partners.
• Purposes of processing: Direct marketing (e.g. by email or post).
• Legal bases: Consent (Art. 6(1)(a) GDPR).
• Right to object (opt-out): You can unsubscribe from our newsletter at any time, i.e. withdraw your consent or object to further receipt. A link to unsubscribe from the newsletter can be found at the end of each newsletter, or you can otherwise use one of the contact options provided above, preferably email.

Further notes on processing operations, procedures and services:

• Measurement of open and click rates: The newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is retrieved from our server or, where we use a mailing service provider, from their server when the newsletter is opened. As part of this retrieval, technical information is initially collected, such as information on the browser and your system, as well as your IP address and the time of retrieval. This information is used to technically improve our newsletter using technical data or the target groups and their reading behaviour based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether and when newsletters are opened and which links are clicked. This information is assigned to individual newsletter recipients and stored in their profiles until deletion. The evaluations enable us to recognise the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The measurement of open and click rates and storage of the measurement results in the users’ profiles – This text section must be unlocked with a premium licence. premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext ; Legal bases: Consent (Art. 6(1)(a) GDPR).

Web Analytics, Monitoring and Optimisation

Web analytics (also referred to as “reach measurement”) is used to evaluate visitor flows to our online offer and may include behaviour, interests or demographic information about visitors, such as age or gender, as pseudonymous values. Web analytics allows us, for example, to recognise at what time our online offer or its functions or content is used most frequently or invites reuse. We can also understand which areas require optimisation.

In addition to web analytics, we may also use testing procedures to test and optimise different versions of our online offer or its components.

Unless otherwise specified below, profiles (i.e. data summarised into a usage process) can be created for these purposes and information can be stored in a browser or on a device and then read. The collected information includes, in particular, visited websites and elements used there as well as technical details, such as the browser used, the computer system used and information on usage times. Where users have consented to the collection of their location data to us or to the providers of the services we use, location data may also be processed.

Furthermore, users’ IP addresses are stored. However, we use an IP masking procedure (i.e. pseudonymisation by shortening the IP address) to protect users. As a rule, no clear data of users (such as email addresses or names) is stored within the framework of web analytics, A/B testing and optimisation, but pseudonyms. That is, neither we nor the providers of the software used know the actual identity of the users, only the information stored in their profiles for the purposes of the respective procedures.

Notes on legal bases: Where we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and user-friendly services). In this context, we also refer to the information on the use of cookies in this Privacy Policy.

• Types of data processed: Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors); Profiles with user-related information (creating user profiles); Provision of our online offer and user-friendliness.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”. Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods can be stored on users’ devices for a period of two years).
• Security measures: IP masking (pseudonymisation of the IP address).
• Legal bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing operations, procedures and services:

• Google Analytics: We use Google Analytics to measure and analyse the use of our online offer on the basis of a pseudonymous user identification number. This identification number does not contain any clear data such as names or email addresses. It is used to assign analysis information to a device in order to recognise which content users have accessed within one or several usage processes, which search terms they have used, accessed again or interacted with in connection with our online offer. The time and duration of use, the sources of users referring to our online offer and technical aspects of their devices and browsers are also stored.
  Pseudonymous user profiles are created with information from the use of different devices, and cookies may be used for this purpose. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides coarse geolocation data by deriving the following metadata from IP addresses: City (and derived latitude and longitude of the city), Continent, Country, Region, Subcontinent (and ID-based counterparts). For EU traffic, IP address data is used solely for this derivation of geolocation data before being immediately deleted. It is not logged, is not accessible and is not used for further purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymisation of the IP address); Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Right to object (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for controlling the display of advertisements: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and data processed).

Presence on Social Networks (Social Media)

We maintain online presences on social networks and process user data in this context in order to communicate with users active there or to provide information about us.

We would like to point out that user data may be processed outside the European Union. This may pose risks to users because, for example, it could make it more difficult to enforce users’ rights.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, user profiles can be created based on user behaviour and resulting interests. These may in turn be used, for example, to display advertisements inside and outside the networks that are presumed to correspond to the users’ interests. As a rule, cookies are stored on users’ computers in which the usage behaviour and interests of users are stored. Additionally, data may also be stored in user profiles irrespective of the devices used by users (especially if they are members of the respective platforms and logged in there).

For a detailed description of the respective forms of processing and the options for objecting (opt-out), please refer to the privacy policies and information provided by the operators of the respective networks.

In the case of requests for information and the exercise of data subject rights, we also point out that these can most effectively be asserted with the providers. Only the providers have access to the users’ data in each case and can take appropriate measures and provide information directly. However, if you still need help, you can contact us.

• Types of data processed: Contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. textual or visual messages and posts and the related information, such as details of authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Communication; Feedback (e.g. collecting feedback via online form); Public relations.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing operations, procedures and services:

• Instagram: Social network that enables sharing of photos and videos, commenting on and favouriting posts, sending messages, and subscribing to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy policy: https://privacycenter.instagram.com/policy/. Basis for third country transfers: Data Privacy Framework (DPF).

Plugins and Embedded Functions and Content

We incorporate functional and content elements into our online offer that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may, for example, be graphics, videos or city maps (hereinafter collectively referred to as “content”).

The integration always requires that the third-party providers of this content process the users’ IP address, as they would not be able to send the content to their browser without the IP address. The IP address is therefore necessary for the display of this content or functions. We endeavour only to use content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the users’ devices and may, among other things, contain technical information about the browser and operating system, referring websites, time of visit and further information on the use of our online offer, and may also be linked with such information from other sources.

Notes on legal bases: Where we ask users for their consent to the use of third-party providers, the legal basis for data processing is such consent. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we also refer to the information on the use of cookies in this Privacy Policy.

• Types of data processed: Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved); Location data (information on the geographical position of a device or person).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offer and user-friendliness; Reach measurement (e.g. access statistics, recognition of returning visitors); Tracking (e.g. interest/behaviour-based profiling, use of cookies); Audience building; Marketing.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”. Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods can be stored on users’ devices for a period of two years).
• Legal bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing operations, procedures and services:

• Google Fonts (retrieval from Google server): Retrieval of fonts (and symbols) for the purpose of technically secure, maintenance-free and efficient use of fonts and symbols with regard to up-to-dateness and loading times, their uniform presentation and consideration of possible licensing restrictions. The provider of the fonts is informed of the users’ IP address so that the fonts can be made available in the users’ browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) is transmitted, which is necessary for the provision of the fonts depending on the devices used and the technical environment. This data may be processed on a server of the font provider in the USA – When visiting our online offer, users’ browsers send their browser HTTP requests to the Google Fonts Web API (i.e. a software interface for retrieving the fonts). The Google Fonts Web API provides the CSS (Cascading Style Sheets) of Google Fonts and then the fonts specified in the CSS to the users. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of the website visitors, as well as the referrer URL (i.e. the web page on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers and are not analysed. The Google Fonts Web API logs details of the HTTP requests (requested URL, user agent and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wishes to load fonts. This data is logged so that Google can determine how often a particular font family is requested. With the Google Fonts Web API, the user agent must adapt the font that is generated for the respective browser type. The user agent is primarily logged for debugging purposes and used to generate aggregated usage statistics to measure the popularity of font families. These aggregated usage statistics are published on the “Analytics” page of Google Fonts. Finally, the referrer URL is logged so that the data can be used to maintain the production and an aggregated report on the top integrations can be generated based on the number of font requests. According to its own information, Google does not use any of the information collected by Google Fonts to create profiles of end users or for targeted advertising; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://fonts.google.com/; Privacy policy: https://policies.google.com/privacy; Basis for third country transfers: Data Privacy Framework (DPF). Further information: https://developers.google.com/fonts/faq/privacy?hl=de.
• Google Maps: We integrate the maps of the “Google Maps” service provided by Google. The data processed may include, in particular, IP addresses and location data of users; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal bases: Consent (Art. 6(1)(a) GDPR); Website: https://mapsplatform.google.com/; Privacy policy: https://policies.google.com/privacy. Basis for third country transfers: Data Privacy Framework (DPF).
• YouTube videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1)(a) GDPR); Website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy; Basis for third country transfers: Data Privacy Framework (DPF). Right to object (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for controlling the display of advertisements: https://myadcenter.google.com/personalizationoff.

Created with the free data protection generator by Dr. Thomas Schwenke