Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter briefly referred to as “data”) we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offering”).

The terms used are not gender-specific.

As of: October 23, 2024

Controller

Martin Dengler
Heideweg 24
95691 Hohenberg an der Eger OT Neuhaus

Authorized representatives: Martin Dengler
E-mail address: servus@denglerhof.de
Phone: +49 (0)9233 2404
Imprint: https://denglerhof.de/impressum

Contact Data Protection Officer

datenschutz@tekdesign.de

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of Data Processed

Master data.
Payment data.
Location data.
Contact data.
Content data.
Contract data.
Usage data.
Meta, communication, and process data.
Log data.

Special Categories of Data

Health data.

Categories of Data Subjects

Service recipients and clients.
Interested parties.
Communication partners.
Users.
Business and contractual partners.
Third parties.

Purposes of Processing

Provision of contractual services and fulfillment of contractual obligations.
Communication.
Security measures.
Reach measurement.
Tracking.
Office and organizational procedures.
Conversion measurement.
Audience targeting.
Affiliate tracking.
Organizational and administrative procedures.
Firewall.
Feedback.
Marketing.
Profiles with user-related information.
Provision of our online offering and user-friendliness.
Information technology infrastructure.
Business processes and commercial procedures.

Relevant Legal Bases

Relevant Legal Bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the GDPR regulations, national data protection requirements may apply in your or our country of residence or establishment. Furthermore, if more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given their consent to the processing of personal data concerning them for one or more specific purposes.
Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National Data Protection Regulations in Germany: In addition to the GDPR data protection regulations, national data protection regulations apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which protects against the misuse of personal data during data processing. The BDSG contains special regulations, in particular, on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and the transfer and automated individual decision-making, including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Note on the applicability of GDPR and Swiss DPA: These data protection notices serve to provide information both under the Swiss Data Protection Act (DPA) and the General Data Protection Regulation (GDPR). For this reason, we ask you to note that due to their broader spatial application and comprehensibility, the terms of the GDPR are used. Specifically, instead of the terms “processing” of “personal data,” “overriding interest,” and “particularly sensitive personal data” used in the Swiss DPA, the terms “processing” of “personal data,” “legitimate interest,” and “special categories of data” as used in the GDPR are employed. However, the legal meaning of the terms will continue to be determined by the Swiss DPA within the scope of its applicability.

Security Measures

In accordance with legal requirements and taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, ensuring availability, and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subjects’ rights, the deletion of data, and responses to data breaches. Moreover, we consider the protection of personal data already during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by privacy-friendly default settings.

Securing Online Connections with TLS/SSL Encryption Technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions comply with the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and encrypted.

Transfer of Personal Data

In the course of our processing of personal data, it may happen that this data is transferred to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.

International Data Transfers

Data Processing in Third Countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if processing takes place in the context of using third-party services or disclosing/transferring data to other persons, entities, or companies, this is done only in compliance with legal requirements. If the data protection level in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers only occur if the data protection level is otherwise secured, in particular by standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), explicit consent, or in the case of contractual or legally required transfer (Art. 49 para. 1 GDPR). Furthermore, we will inform you of the bases for third-country transfers for individual providers from third countries, with adequacy decisions taking precedence as bases. Information on third-country transfers and existing adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de. Within the framework of the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognized the data protection level as adequate for certain companies from the USA within the scope of the adequacy decision of 2023-07-10. The list of certified companies as well as further information on the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English). We will inform you within the scope of the privacy policy which of our service providers are certified under the Data Privacy Framework.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal provisions as soon as the underlying consents are revoked or no further legal bases for processing exist. This applies to cases where the original processing purpose ceases to apply or the data is no longer required. Exceptions to this rule exist if legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy policy contains additional information on the retention and deletion of data that specifically applies to certain processing activities.

If there are multiple indications regarding the retention period or deletion deadlines for data, the longest period always applies.

If a period does not explicitly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships within which data is stored, the event triggering the period is the effective date of termination or other cessation of the legal relationship.

Data that is no longer retained for its originally intended purpose but due to legal requirements or other reasons will be processed by us exclusively for the reasons justifying its retention.

Further information on processing operations, procedures, and services:

Data Retention and Deletion: The following general periods apply to retention and archiving under German law:
- 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the work instructions and other organizational documents required for their understanding, booking vouchers, and invoices (§ 147 Abs. 3 i. V. m. Abs. 1 Nr. 1, 4 und 4a AO, § 14b Abs. 1 UStG, § 257 Abs. 1 Nr. 1 u. 4, Abs. 4 HGB).
- 6 years – Other business documents: received commercial or business letters, reproductions of sent commercial or business letters, other documents insofar as they are relevant for taxation, e.g., hourly wage slips, cost accounting sheets, calculation documents, price tags, but also payroll documents, insofar as they are not already booking vouchers, and cash register receipts (§ 147 Abs. 3 i. V. m. Abs. 1 Nr. 2, 3, 5 AO, § 257 Abs. 1 Nr. 2 u. 3, Abs. 4 HGB).
- 3 years – Data required to consider potential warranty and compensation claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experience and common industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

Rights of Data Subjects under the GDPR: As data subjects, you have various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
Right to withdraw consent: You have the right to withdraw given consents at any time.
Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and further information and a copy of the data in accordance with legal requirements.
Right to rectification: In accordance with legal requirements, you have the right to demand the completion of incomplete data concerning you or the rectification of inaccurate data concerning you.
Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to demand that data concerning you be erased without undue delay, or, alternatively, to demand a restriction of the processing of the data in accordance with legal requirements.
Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format in accordance with legal requirements, or to request its transmission to another controller.
Right to lodge a complaint with a supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Business Services

We process data from our contractual and business partners, such as customers and prospective customers (collectively referred to as “contractual partners”), within the scope of contractual and similar legal relationships, related measures, and for communication with these partners (or pre-contractually), for instance, to respond to inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, the obligations to provide the agreed services, any update obligations, and remedies for warranty and other service disruptions. Furthermore, we use the data to safeguard our rights and for administrative tasks associated with these obligations, as well as for corporate organization. In addition, we process the data based on our legitimate interests in proper and economical business management, as well as in security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information, and rights (e.g., for the involvement of telecommunications, transport, and other auxiliary services, as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Within the scope of applicable law, we only disclose contractual partners’ data to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about other forms of processing, such as for marketing purposes, within this privacy policy.

We inform contractual partners about which data is required for the aforementioned purposes either before or during data collection, for example, in online forms, through special markings (e.g., colors) or symbols (e.g., asterisks or similar), or in person.

We delete data after the expiry of statutory warranty and similar obligations, generally after four years, unless the data is stored in a customer account, for example, as long as it must be retained for archiving due to legal reasons (e.g., for tax purposes, usually ten years). Data disclosed to us by the contractual partner within the scope of an order will be deleted according to the specifications and generally after the order concludes.

Types of data processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers). Contract data (e.g., subject of contract, term, customer category).
Special categories of personal data: Health data.
Data subjects: Service recipients and clients; prospective customers. Business and contractual partners.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; communication; office and organizational procedures; organizational and administrative procedures. Business processes and economic procedures.
Retention and deletion: Deletion according to the information in the section “General information on data storage and deletion”.
Legal bases: Fulfillment of contract and pre-contractual inquiries (Art. 6 para. 1 S. 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 S. 1 lit. c) GDPR). Legitimate interests (Art. 6 para. 1 S. 1 lit. f) GDPR).

Further information on processing operations, procedures, and services:

Hospitality, hotel, and accommodation services: We process the data of our guests, visitors, and prospective customers (uniformly referred to as “guests”) to provide our accommodation and related tourism or gastronomic services, and to bill for the services rendered. In the context of our engagement, it may be necessary for us to process special categories of data within the meaning of Art. 9 para. 1 GDPR, in particular, information concerning a person’s health or information related to their religious beliefs. The processing is carried out to protect the health interests of visitors (e.g., in the case of allergy information) or otherwise to meet their physical or mental needs upon request and with their consent. If required for contract fulfillment or by law, or with the guests’ consent, or based on our legitimate interests, we disclose or transmit guest data, e.g., to service providers involved in fulfilling our services, or to authorities, billing centers, as well as in the areas of IT, office, or comparable services; Legal bases: Fulfillment of contract and pre-contractual inquiries (Art. 6 para. 1 S. 1 lit. b) GDPR).

Business Processes and Procedures

Personal data of service recipients and clients – including customers, clients, or in special cases, mandates, patients, or business partners, as well as other third parties – are processed within the framework of contractual and similar legal relationships and pre-contractual measures, such as the initiation of business relationships. This data processing supports and facilitates business operations in areas like customer management, sales, payment transactions, accounting, and project management.

The collected data serves to fulfill contractual obligations and to ensure efficient operational processes. This includes processing business transactions, managing customer relationships, optimizing sales strategies, and ensuring internal invoicing and financial processes. Additionally, the data supports safeguarding the controller’s rights and facilitates administrative tasks and company organization.

Personal data may be disclosed to third parties if necessary for the fulfillment of the stated purposes or legal obligations. After the expiry of statutory retention periods or if the purpose of processing ceases, the data will be deleted. This also includes data that must be stored longer due to tax law and legal proof obligations.

Types of data processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or visual messages and contributions, as well as related information such as authorship details or time of creation); Contract data (e.g., subject of contract, term, customer category). Log data (e.g., log files concerning logins or data retrieval or access times).
Data subjects: Service recipients and clients; prospective customers; communication partners; business and contractual partners. Third parties.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; business processes and economic procedures. Communication.
Retention and deletion: Deletion according to the information in the section “General information on data storage and deletion”.
Legal bases: Fulfillment of contract and pre-contractual inquiries (Art. 6 para. 1 S. 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 S. 1 lit. f) GDPR).

Further information on processing operations, procedures, and services:

Contact management and maintenance: Procedures required for the organization, maintenance, and security of contact information (e.g., establishing and maintaining a central contact database, regular updates of contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, performing backups and restorations of contact data, training employees in the effective use of contact management software, regularly reviewing communication history, and adapting contact strategies); Legal bases:Fulfillment of contract and pre-contractual inquiries (Art. 6 para. 1 S. 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 S. 1 lit. f) GDPR).

Use of Online Platforms for Offering and Distribution Purposes

We offer our services on online platforms operated by other service providers. In this context, the privacy policies of the respective platforms apply in addition to our own. This applies particularly to the execution of payment transactions and the procedures used on the platforms for reach measurement and interest-based marketing.

Types of data processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers); Contract data (e.g., subject of contract, term, customer category); Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved persons).
Data subjects: Service recipients and clients. Business and contractual partners.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; marketing; business processes and economic procedures. Affiliate tracking.
Retention and deletion: Deletion according to the information in the section “General information on data storage and deletion”.
Legal bases: Fulfillment of contract and pre-contractual inquiries (Art. 6 para. 1 S. 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 S. 1 lit. f) GDPR).

Further information on processing operations, procedures, and services:

Booking.com Partner Program: Affiliate marketing partner program; Service provider:Booking.com B.V., Herengracht 597, 1017 CE Amsterdam, Netherlands; Legal bases: Legitimate interests (Art. 6 para. 1 S. 1 lit. f) GDPR); Website:https://www.booking.com. Privacy Policy:https://www.booking.com/content/privacy.de.html.
AirBNB: Airbnb function; Service provider: Name and address AirBNB; Website: URL to AirBNB. Privacy Policy: Link to AirBNB.
Easybooking: Easybooking function; Service provider: Name and address Easybooking; Website: Link to Easybooking website. Privacy Policy: Link to Easybooking privacy policy.

Provision of the Online Offering and Web Hosting

We process user data to provide our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the users’ browser or end device.

Types of data processed: Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved persons); Log data (e.g., log files concerning logins or data retrieval or access times). Content data (e.g., textual or visual messages and contributions, as well as related information such as authorship details or time of creation).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). Security measures.
Retention and deletion: Deletion according to the information in the section “General information on data storage and deletion”.
Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures, and services:

Provision of online offering on rented storage space: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also called ‘web host’); Legal bases: Legitimate interests (Art. 6 para. 1 S. 1 lit. f) GDPR).
Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files”. Server log files may include the address and name of the accessed web pages and files, date and time of access, transferred data volumes, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), and typically IP addresses and the requesting provider. Server log files can be used for security purposes, e.g., to prevent server overload (especially in the case of abusive attacks, so-called DDoS attacks), and also to ensure server utilization and stability; Legal bases: Legitimate interests (Art. 6 para. 1 S. 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is necessary for evidentiary purposes are exempt from deletion until the final clarification of the respective incident.
Email sending and hosting: The web hosting services we use also include sending, receiving, and storing emails. For these purposes, the addresses of recipients and senders, as well as further information concerning email sending (e.g., the involved providers) and the content of the respective emails, are processed. The aforementioned data may also be processed for SPAM detection purposes. Please note that emails are generally not sent encrypted over the internet. As a rule, emails are encrypted during transmission, but (unless an end-to-end encryption method is used) not on the servers from which they are sent and received. Therefore, we cannot assume responsibility for the transmission path of emails between the sender and reception on our server; Legal bases: Legitimate interests (Art. 6 para. 1 S. 1 lit. f) GDPR).
Hetzner: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Legal bases: Legitimate interests (Art. 6 para. 1 S. 1 lit. f) GDPR); Website: https://www.hetzner.com; Privacy Policy:https://www.hetzner.com/de/rechtliches/datenschutz. Data Processing Agreement:https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/.
netcup: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: netcup GmbH, Daimlerstraße 25, D-76185 Karlsruhe, Germany; Legal bases: Legitimate interests (Art. 6 para. 1 S. 1 lit. f) GDPR); Website: https://www.netcup.de/; Privacy Policy:https://www.netcup.de/kontakt/datenschutzerklaerung.php. Data Processing Agreement: https://helpcenter.netcup.com/de/wiki/general/avv/.
Raidboxes: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: RAIDBOXES GmbH, Hafenstraße 32, 48153 Münster, Germany; Legal bases: Legitimate interests (Art. 6 para. 1 S. 1 lit. f) GDPR); Website: https://raidboxes.io/; Privacy Policy:https://raidboxes.io/legal/privacy/. Data Processing Agreement:https://helpcenter.raidboxes.de/de/articles/1947634-auftragsverarbeitungsvertrag-av.

Use of Cookies

The term “cookies” refers to functions that store and read information on users’ devices. Cookies can also be used for various purposes, such as the functionality, security and convenience of online services, as well as the creation of analyses of visitor flows. We use cookies in accordance with legal requirements. For this purpose, we obtain the user’s consent in advance, if necessary. If consent is not necessary, we rely on our legitimate interests. This applies if the storage and reading of information is essential to be able to provide expressly requested content and functions. This includes, for example, the storage of settings and the ensuring of the functionality and security of our online services. Consent can be withdrawn at any time. We provide clear information about their scope and which cookies are used.

Information on data protection legal bases: Whether we process personal data with the help of cookies depends on consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Storage period: With regard to the storage period, the following types of cookies are distinguished:

Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their device (e.g. browser or mobile application).
Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, the log-in status can be saved and preferred content can be displayed directly when the user visits a website again. Likewise, the user data collected with the help of cookies can be used for reach measurement. Unless we provide users with explicit information on the type and storage period of cookies (e.g. as part of obtaining consent), they should assume that these are permanent and that the storage period can be up to two years.

General information on revocation and objection (opt-out): Users can revoke their given consent at any time and also declare an objection to the processing in accordance with the legal requirements, also by means of the privacy settings of their browser.

Processed data types: Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved). Usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Provision of our online offer and user-friendliness.
Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing operations, procedures, and services:

Processing of cookie data on the basis of consent: We use a consent management solution in which the user’s consent to the use of cookies or to the procedures and providers mentioned in the consent management solution is obtained. This procedure serves to obtain, log, manage and revoke consent, in particular with regard to the use of cookies and comparable technologies that are used to store, read and process information on users’ devices. Within the scope of this procedure, the users’ consent is obtained for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management procedure. Users also have the option of managing and revoking their consent. The declarations of consent are stored in order to avoid repeated queries and to be able to provide proof of consent in accordance with legal requirements. Storage takes place on the server side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies in order to be able to assign the consent to a specific user or their device. Unless specific information is available on the providers of consent management services, the following general information applies: The duration of storage of consent is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, details of the scope of consent (e.g. categories of cookies and/or service providers concerned) and information about the browser, system and device used; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
Cookie opt-out: In the footer of our website you will find a link via which you can change your cookie settings and revoke your consent accordingly; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
BorlabsCookie: Consent management: Procedure for obtaining, logging, managing and revoking consent, in particular for the use of cookies and similar technologies for storing, reading and processing information on users’ devices and their processing; Service provider: Execution on servers and/or computers under own data protection responsibility; Website: https://de.borlabs.io/borlabs-cookie/. Further information: An individual user ID, language and types of consent and the time they were given are stored on the server side and in the cookie on the user’s device.

Blogs and Publication Media

We use blogs or comparable means of online communication and publication (hereinafter “publication medium”). The data of the readers are processed for the purposes of the publication medium only to the extent that it is necessary for its presentation and communication between authors and readers or for reasons of security. Otherwise, we refer to the information on the processing of visitors to our publication medium within the framework of this data protection notice.

Processed data types: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and e-mail addresses or telephone numbers); Content data (e.g. textual or visual messages and posts as well as the information concerning them, such as information on authorship or time of creation); Usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Feedback (e.g. collecting feedback via online form); Provision of our online offer and user-friendliness; Communication; Organisational and administrative procedures. Security measures.
Retention and deletion: Deletion according to the information in the section “General information on data storage and deletion”.
Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing operations, procedures, and services:

Comments and posts: When users leave comments or other posts, their IP addresses may be stored on the basis of our legitimate interests. This is for our security in case someone leaves illegal content in comments and posts (insults, prohibited political propaganda, etc.). In this case, we ourselves can be held liable for the comment or post and are therefore interested in the identity of the author. Furthermore, we reserve the right, on the basis of our legitimate interests, to process the user’s data for the purpose of spam detection. On the same legal basis, we reserve the right, in the case of surveys, to store the IP addresses of users for their duration and to use cookies to avoid multiple votes. The information on the person provided in the context of comments and posts, any contact and website information as well as the content information are permanently stored by us until the user objects; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Comment subscriptions: Users can subscribe to follow-up comments with their consent. Users receive a confirmation email to verify that they are the owner of the email address entered. Users can unsubscribe from ongoing comment subscriptions at any time. The confirmation email will contain information on how to unsubscribe. For the purposes of proving the user’s consent, we store the time of registration together with the user’s IP address and delete this information when users unsubscribe from the subscription. You can cancel the receipt of our subscription at any time, i.e. revoke your consent. We may store the unsubscribed email addresses for up to three years on the basis of our legitimate interests before we delete them in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of a possible defence against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
Retrieval of WordPress emojis and smileys: Retrieval of WordPress emojis and smileys – Within our WordPress blog, graphical emojis (or smileys), i.e. small graphic files that express feelings, are used for the purpose of efficiently integrating content elements, obtained from external servers. The providers of the servers collect the IP addresses of the users. This is necessary so that the emoji files can be transmitted to the users’ browsers; Service provider: Aut O’Mattic A8C Irland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://automattic.com; Data protection declaration: https://automattic.com/privacy. Basis for third country transfers: Data Privacy Framework (DPF).
Profile pictures from Gravatar: Profile pictures – We use the Gravatar service within our online offer and especially in the blog. Gravatar is a service where users can register and store profile pictures and their email addresses. When users leave posts or comments with the respective email address on other online presences (especially in blogs), their profile pictures can be displayed next to the posts or comments. For this purpose, the email address provided by the users is transmitted to Gravatar in encrypted form for the purpose of checking whether a profile is stored for it. This is the only purpose of transmitting the email address. It is not used for other purposes, but is deleted afterwards. Gravatar is used on the basis of our legitimate interests, as Gravatar allows us to offer the authors of posts and comments the opportunity to personalise their posts with a profile picture. By displaying the images, Gravatar learns the IP address of the users, as this is necessary for communication between a browser and an online service. If users do not want a user picture linked to their email address on Gravatar to appear in the comments, they should use an email address that is not stored on Gravatar to comment. We would also like to point out that it is also possible to use an anonymous email address or no email address at all if users do not want their own email address to be sent to Gravatar. Users can completely prevent the transmission of data by not using our comment system; Service provider: Aut O’Mattic A8C Irland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://automattic.com; Data protection declaration:https://automattic.com/privacy. Basis for third country transfers: Data Privacy Framework (DPF).

Contact and Request Management

When you contact us (e.g. by post, contact form, email, telephone or via social media) and within the framework of existing user and business relationships, the data of the requesting persons are processed to the extent that this is necessary to answer the contact requests and any requested measures.

Processed data types: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and e-mail addresses or telephone numbers); Content data (e.g. textual or visual messages and posts as well as the information concerning them, such as information on authorship or time of creation); Usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).
Data subjects: Communication partners.
Purposes of processing: Communication; Organisational and administrative procedures; Feedback (e.g. collecting feedback via online form). Provision of our online offer and user-friendliness.
Retention and deletion: Deletion according to the information in the section “General information on data storage and deletion”.
Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contractual performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing operations, procedures, and services:

Contact form: When you contact us via our contact form, by email or other means of communication, we process the personal data transmitted to us to answer and process the respective request. This usually includes information such as name, contact information and, if applicable, other information that is communicated to us and is necessary for appropriate processing. We use this data exclusively for the stated purpose of contacting and communicating; Legal bases: Contractual performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Web Analysis, Monitoring and Optimisation

Web analysis (also referred to as “reach measurement”) is used to evaluate the visitor flows of our online offer and can include behaviour, interests or demographic information on the visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognise at what time our online offer or its functions or content are most frequently used, or invite you to reuse it. It is also possible for us to understand which areas need optimisation.

In addition to web analysis, we can also use testing methods to test and optimise different versions of our online offer or its components.

Unless otherwise stated below, profiles, i.e. data summarised for a usage process, can be created for these purposes and information can be stored in a browser or in a device and then read out. The information collected includes in particular websites visited and elements used there, as well as technical information, such as the browser used, the computer system used and information on usage times. If users have agreed to the collection of their location data to us or to the providers of the services we use, the processing of location data is also possible.

In addition, users’ IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by truncating the IP address) to protect users. Generally, within the scope of web analysis, A/B testing, and optimization, no clear user data (such as email addresses or names) is stored, but rather pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures.

Notes on Legal Bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Types of Data Processed: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved persons); Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers). Content data (e.g., textual or visual messages and posts, as well as related information such as authorship details or time of creation).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of Processing: Reach measurement (e.g., access statistics, recognition of returning visitors); Profiles with user-related information (creation of user profiles); Security measures; Firewall; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Conversion measurement (measuring the effectiveness of marketing measures); Marketing. Provision of our online offering and user-friendliness.
Retention and deletion: Deletion according to the information in the section “General information on data storage and deletion”. Storage of cookies for up to 2 years (Unless otherwise specified, cookies and similar storage methods can be stored on users’ devices for a period of two years).
Security Measures: IP masking (pseudonymization of the IP address).
Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures, and services:

WP Armour: Anti-spam filter that blocks spam bots; Service Provider: Execution on servers and/or computers under its own data protection responsibility. Website: https://wordpress.org/plugins/honeypot/.
Google Ads and Conversion Measurement: Online marketing procedure for the purpose of placing content and ads within the service provider’s advertising network (e.g., in search results, videos, on websites, etc.), so that they are displayed to users who have a presumed interest in the ads. In addition, we measure the conversion of the ads, i.e., whether users have taken them as an opportunity to interact with the ads and use the advertised offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR), Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy:https://policies.google.com/privacy; Basis for Third-Country Transfers: Data Privacy Framework (DPF); Further Information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.
Google AdSense with personalized ads: We integrate the Google AdSense service, which allows personalized ads to be placed within our online offering. Google AdSense analyzes user behavior and uses this data to display targeted advertising tailored to the interests of our visitors. For each ad placement or other uses of these ads, we receive financial compensation; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy:https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on the services data processing terms between controllers and standard contractual clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.
Google Analytics: We use Google Analytics to measure and analyze the use of our online offering based on a pseudonymous user identification number. This identification number does not contain unique data, such as names or email addresses. It serves to assign analysis information to an end device to recognize which content users have accessed within one or various usage processes, which search terms they have used, have accessed again, or have interacted with our online offering. Likewise, the time and duration of use are stored, as well as the sources of users who refer to our online offering and technical aspects of their end devices and browsers.
In this process, pseudonymous user profiles are created with information from the use of various devices, whereby cookies may be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides coarse geographical location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is used exclusively for this derivation of geolocation data before being immediately deleted. They are not logged, are not accessible, and are not used for further purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before traffic is forwarded to Analytics servers for processing; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security Measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for Third-Country Transfers: Data Privacy Framework (DPF); Right to Object (Opt-Out): Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for ad display: https://myadcenter.google.com/personalizationoff. Further Information:https://business.safety.google/adsservices/ (Types of processing and data processed).
Google Analytics (Server-Side Use): We use Google Analytics to measure and analyze users’ use of our online services. While user data is processed, it is not transmitted directly from the users’ end device to Google. In particular, users’ IP addresses are not transmitted to Google. Instead, the data is first transmitted to our server, where the user data records are assigned to our internal user identification number. The subsequent transmission occurs only in this pseudonymized form from our server to Google. The identification number does not contain unique data, such as names or email addresses. It serves to assign analysis information to an end device to recognize which content users have accessed within one or various usage processes, which search terms they have used, have accessed again, or have interacted with our online offering. Likewise, the time and duration of use are stored, as well as the sources of users who refer to our online offering and technical aspects of their end devices and browsers. In this process, pseudonymous user profiles are created with information from the use of various devices, whereby cookies may be used. In Analytics, higher-level geographical location data is provided by collecting the following metadata based on IP lookup: “City” (and the derived latitude and longitude of the city), “Continent”, “Country”, “Region”, “Subcontinent” (and the ID-based equivalents); Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website:https://marketingplatform.google.com/intl/de/about/analytics/; Privacy Policy:https://policies.google.com/privacy; Data Processing Agreement:https://business.safety.google/adsprocessorterms/; Basis for Third-Country Transfers: Data Privacy Framework (DPF). Further Information:https://business.safety.google/adsservices/ (Types of processing and data processed).

Online Marketing

We process personal data for the purpose of online marketing, which may include, in particular, the marketing of advertising space or the display of advertising and other content (collectively referred to as “content”) based on potential user interests, as well as measuring their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (the so-called “cookie”) or similar procedures are used, by means of which the user data relevant for the display of the aforementioned content is stored. This may include, for example, viewed content, visited websites, used online networks, but also communication partners and technical information, such as the browser used, the computer system used, and information on usage times and functions used. If users have consented to the collection of their location data, this data may also be processed.

In addition, users’ IP addresses are stored. However, we use available IP masking procedures (i.e., pseudonymization by truncating the IP address) for user protection. Generally, within the scope of online marketing procedures, no clear user data (such as email addresses or names) is stored, but rather pseudonyms. This means that neither we nor the providers of the online marketing procedures know the actual user identity, but only the information stored in their profiles.

The statements in the profiles are generally stored in cookies or by means of similar procedures. These cookies can later generally also be read out on other websites that use the same online marketing procedure, analyzed for the purpose of displaying content, supplemented with further data, and stored on the server of the online marketing procedure provider.

Exceptionally, it is possible to assign clear data to the profiles, primarily when users are, for example, members of a social network whose online marketing procedures we use and the network links the user profiles with the aforementioned information. We ask you to note that users can make additional agreements with the providers, for example, by giving consent during registration.

In principle, we only receive access to aggregated information about the success of our advertisements. However, within the scope of so-called conversion measurements, we can check which of our online marketing procedures have led to a so-called conversion, i.e., for example, to a contract conclusion with us. Conversion measurement is used solely for the success analysis of our marketing measures.

Unless otherwise stated, please assume that cookies used will be stored for a period of two years.

Notes on Legal Bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Notes on Revocation and Objection:

We refer to the privacy policies of the respective providers and the objection options (so-called “opt-out”) specified for the providers. If no explicit opt-out option has been specified, you can disable cookies in your browser settings. However, this may restrict functions of our online offering. Therefore, we additionally recommend the following opt-out options, which are offered collectively for respective regions:

a) Europe: https://www.youronlinechoices.eu.

b) Canada: https://www.youradchoices.ca/choices.

c) USA: https://www.aboutads.info/choices.

d) Cross-regional: https://optout.aboutads.info.

Types of Data Processed: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved persons).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of Processing: Reach measurement (e.g., access statistics, recognition of returning visitors); Tracking (e.g., interest/behavior-based profiling, use of cookies); Audience formation; Marketing; Profiles with user-related information (creation of user profiles). Conversion measurement (measuring the effectiveness of marketing measures).
Retention and deletion: Deletion according to the information in the section “General information on data storage and deletion”. Storage of cookies for up to 2 years (Unless otherwise specified, cookies and similar storage methods can be stored on users’ devices for a period of two years).
Security Measures: IP masking (pseudonymization of the IP address).
Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures, and services:

Google Ads and Conversion Measurement: Online marketing procedure for the purpose of placing content and ads within the service provider’s advertising network (e.g., in search results, videos, on websites, etc.), so that they are displayed to users who have a presumed interest in the ads. In addition, we measure the conversion of the ads, i.e., whether users have taken them as an opportunity to interact with the ads and use the advertised offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR), Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy:https://policies.google.com/privacy; Basis for Third-Country Transfers: Data Privacy Framework (DPF); Further Information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.
Enhanced Conversions for Google Ads: If users click on our Google ads and subsequently use the advertised service (so-called “conversion”), the data entered by the user, such as email address, name, residential address, or phone number, may be transmitted to Google. The hash values are then matched with existing Google accounts of the users to better evaluate and improve user interaction with the ads (e.g., clicks or views) and thus their performance; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Website: https://support.google.com/google-ads/answer/9888656.
Google AdSense with personalized ads: We integrate the Google AdSense service, which allows personalized ads to be placed within our online offering. Google AdSense analyzes user behavior and uses this data to display targeted advertising tailored to the interests of our visitors. For each ad placement or other uses of these ads, we receive financial compensation; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy:https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on the services data processing terms between controllers and standard contractual clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.

Customer Reviews and Rating Procedures

We participate in review and rating procedures to evaluate, optimize, and promote our services. If users rate us or provide other feedback via the involved rating platforms or procedures, the general terms and conditions of use and the privacy policies of the providers also apply. As a rule, a rating also requires registration with the respective providers.

To ensure that the reviewers have actually used our services, with the customer’s consent, we transmit the necessary data regarding the customer and the service used to the respective rating platform (including name, email address, and order number or item number). This data is used solely to verify the authenticity of the user.

Types of data processed: Contract data (e.g., subject matter of contract, term, customer category); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
Persons affected: Beneficiaries and clients. Users (e.g. website visitors, users of online services).
Purposes of processing: Feedback (e.g., collecting feedback via online form). Marketing.
Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures, and services:

Rating Widget: We integrate so-called “rating widgets” into our online offering. A widget is a functional and content element integrated into our online offering that displays changeable information. It can be displayed, for example, in the form of a seal or a comparable element, sometimes also called a “badge”. While the corresponding content of the widget is displayed within our online offering, it is retrieved at that moment from the servers of the respective widget provider. This is the only way to always show the current content, especially the current rating. For this purpose, a data connection must be established from the website called up within our online offering to the server of the widget provider, and the widget provider receives certain technical data (access data, including IP address) that are necessary for the content of the widget to be delivered to the user’s browser. Furthermore, the widget provider receives information that users have visited our online offering. This information can be stored in a cookie and used by the widget provider to recognize which online offerings participating in the rating procedure have been visited by the user. The information can be stored in a user profile and used for advertising or market research purposes; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Google Customer Reviews: Service for obtaining and/or displaying customer satisfaction and customer opinions; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF); Further information: When collecting customer reviews, an identification number and the time of the business transaction to be reviewed, the customer’s email address and their country of residence for review requests sent directly to customers, as well as the review details themselves, are processed; Further details on the types of processing and the data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on the services data processing terms between controllers and standard contractual clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.

Plug-ins and Embedded Functions as Well as Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These can be, for example, graphics, videos, or city maps (hereinafter uniformly referred to as “content”).

The integration always requires that the third-party providers of this content process the users’ IP address, as they would not be able to send the content to their browser without the IP address. The IP address is therefore necessary for the display of this content or functions. We strive to use only content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. “Pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on the users’ devices and may contain, among other things, technical information about the browser and operating system, referring websites, visit time, and other details about the use of our online offering, but can also be linked with such information from other sources.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is permission. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Types of data processed: Content data (e.g., textual or visual messages and posts and related information, such as authorship details or time of creation); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or visual messages and posts and related information, such as authorship details or time of creation); Location data (information on the geographical position of a device or person); Payment data (e.g., bank details, invoices, payment history). Contract data (e.g., subject matter of contract, term, customer category).
Data subjects: Users (e.g., website visitors, users of online services); Service recipients and clients. Prospects.
Purposes of processing: Provision of our online offering and user-friendliness. Provision of contractual services and fulfillment of contractual obligations.
Retention and deletion: Deletion according to the information in the section “General information on data storage and deletion”. Storage of cookies for up to 2 years (Unless otherwise specified, cookies and similar storage methods can be stored on users’ devices for a period of two years).
Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing operations, procedures, and services:

Integration of third-party software, scripts, or frameworks (e.g., jQuery): We integrate software into our online offering that we retrieve from the servers of other providers (e.g., function libraries that we use for the display or user-friendliness of our online offering). In doing so, the respective providers collect the IP address of the users and can process it for the purpose of transmitting the software to the users’ browser, as well as for security purposes, and for evaluating and optimizing their offering. – We integrate software into our online offering that we retrieve from the servers of other providers (e.g., function libraries that we use for the display or user-friendliness of our online offering). In doing so, the respective providers collect the IP address of the users and can process it for the purpose of transmitting the software to the users’ browser, as well as for security purposes, and for evaluating and optimizing their offering; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Google Fonts (provision on own server): Provision of font files for a user-friendly display of our online offering; Service provider: The Google Fonts are hosted on our server, no data is transmitted to Google; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Font Awesome (provision on own server): Display of fonts and icons; Service provider: The Font Awesome icons are hosted on our server, no data is transmitted to the Font Awesome provider; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Google Maps: We integrate the maps of the “Google Maps” service from Google. The processed data may include, in particular, users’ IP addresses and location data; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://mapsplatform.google.com/; Privacy Policy:https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).
Google Maps APIs and SDKs: Interfaces to Google’s map and location services, which allow, for example, the completion of address entries, location determination, distance calculations, or the provision of supplementary information on locations and other places; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://mapsplatform.google.com/; Privacy Policy:https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).
YouTube Videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.youtube.com; Privacy Policy:https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF). Right to object (Opt-Out): Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for ad display: https://myadcenter.google.com/personalizationoff.
Stripe: Payment services (technical integration of online payment methods); Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal bases: Fulfillment of contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://stripe.com; Privacy Policy:https://stripe.com/de/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).

Management, Organization, and Auxiliary Tools

We use services, platforms, and software from other providers (hereinafter referred to as “third-party providers”) for the purposes of organizing, managing, planning, and providing our services. When selecting third-party providers and their services, we comply with legal requirements.

In this context, personal data may be processed and stored on the servers of third-party providers. Various data that we process in accordance with this privacy policy may be affected. This data may include, in particular, master data and contact data of users, data on processes, contracts, other procedures, and their contents.

If users are referred to third-party providers or their software or platforms in the course of communication, business, or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization, or marketing purposes. We therefore ask you to observe the privacy policies of the respective third-party providers.

Types of data processed: Content data (e.g., textual or visual messages and posts and related information, such as authorship details or time of creation); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
Data subjects: Communication partners. Users (e.g., website visitors, users of online services).
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations. Office and organizational procedures.
Retention and deletion: Deletion according to the information in the section “General information on data storage and deletion”.
Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Changes and Updates

We ask you to regularly inform yourself about the content of our privacy policy. We will adapt the privacy policy as soon as changes in the data processing we carry out make this necessary. We will inform you as soon as the changes require an action on your part (e.g., consent) or any other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time, and we ask you to verify the information before contacting them.

Definitions of Terms

This section provides an overview of the terms used in this Privacy Policy. Where terms are legally defined, their legal definitions apply. The following explanations are primarily intended to aid understanding.

Affiliate Tracking: As part of affiliate tracking, links that referring websites use to direct users to websites with product or other offers are logged. The operators of the respective linking websites may receive a commission if users follow these so-called affiliate links and subsequently take advantage of the offers (e.g., purchase goods or use services). For this purpose, it is necessary for providers to be able to track whether users who are interested in certain offers subsequently take advantage of them due to the affiliate links. Therefore, for affiliate links to function, they must be supplemented with certain values that become part of the link or are otherwise stored, e.g., in a cookie. These values include, in particular, the originating website (referrer), the time, an online identifier of the website operator where the affiliate link was located, an online identifier of the respective offer, an online identifier of the user, as well as tracking-specific values such as ad ID, partner ID, and categorizations.
Master Data: Master data comprises essential information necessary for the identification and management of contractual partners, user accounts, profiles, and similar assignments. This data may include personal and demographic details such as names, contact information (addresses, phone numbers, email addresses), birth dates, and specific identifiers (user IDs). Master data forms the basis for any formal interaction between individuals and services, institutions, or systems by enabling clear assignment and communication.
Firewall: A firewall is a security system that protects a computer network or a single computer from unauthorized network access.
Content Data: Content data comprises information generated during the creation, editing, and publication of all types of content. This category of data may include texts, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited to the actual content itself but also includes metadata that provides information about the content, such as tags, descriptions, author information, and publication dates.
Contact Data: Contact data is essential information that enables communication with individuals or organizations. It includes, among others, phone numbers, postal addresses, and email addresses, as well as communication tools such as social media handles and instant messaging identifiers.
Conversion Measurement: Conversion measurement (also referred to as “visit action evaluation”) is a process by which the effectiveness of marketing measures can be determined. Typically, a cookie is stored on users’ devices within the websites where marketing activities take place and then retrieved again on the target website. For example, this allows us to track whether the ads we placed on other websites were successful.
Meta, Communication, and Process Data: Meta, communication, and process data are categories that contain information about how data is processed, transmitted, and managed. Metadata, also known as data about data, includes information describing the context, origin, and structure of other data. They may include details on file size, creation date, document author, and modification histories. Communication data records the exchange of information between users across various channels, such as email traffic, call logs, social network messages, and chat histories, including the individuals involved, timestamps, and transmission paths. Process data describes the processes and workflows within systems or organizations, including workflow documentation, transaction and activity logs, and audit logs used for tracking and verifying operations.
Usage Data: Usage data refers to information that captures how users interact with digital products, services, or platforms. This data includes a wide range of information showing how users utilize applications, which features they prefer, how long they stay on certain pages, and which paths they navigate through an application. Usage data may also include frequency of use, activity timestamps, IP addresses, device information, and location data. They are particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. Furthermore, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.
Personal Data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
User Profiles: The processing of “profiles with user-related information,” or simply “profiles,” encompasses any automated processing of personal data that involves using this personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include various information concerning demographics, behavior, and interests, such as interaction with websites and their content, etc.) (e.g., interests in specific content or products, click behavior on a website, or location). For profiling purposes, cookies and web beacons are frequently used.
Log Data: Log data is information about events or activities that have been logged in a system or network. This data typically includes information such as timestamps, IP addresses, user actions, error messages, and other details about the use or operation of a system. Log data is often used for analyzing system problems, security monitoring, or generating performance reports.
Audience Measurement: Audience measurement (also referred to as Web Analytics) serves to evaluate the visitor flows of an online offering and may include the behavior or interests of visitors in certain information, such as website content. With the help of audience analysis, operators of online offerings can, for example, identify when users visit their websites and what content they are interested in. This allows them, for example, to better adapt the website content to the needs of their visitors. For the purpose of audience analysis, pseudonymous cookies and web beacons are often used to recognize returning visitors and thus obtain more accurate analyses of the use of an online offering.
Location Data: Location data is generated when a mobile device (or another device with the technical prerequisites for location determination) connects to a cell tower, Wi-Fi, or similar technical means and location determination functions. Location data serves to indicate the geographically determinable position of the respective device on Earth. Location data can be used, for example, to display map functions or other location-dependent information.
Tracking: “Tracking” refers to the ability to trace user behavior across multiple online offerings. Typically, behavioral and interest information regarding the online offerings used is stored in cookies or on the servers of tracking technology providers (so-called profiling). This information can then be used, for example, to display advertisements to users that are likely to match their interests.
Controller: “Controller” refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processing: “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, be it collection, evaluation, storage, transmission, or deletion.
Contract Data: Contract data is specific information relating to the formalization of an agreement between two or more parties. They document the terms under which services or products are provided, exchanged, or sold. This data category is essential for the administration and fulfillment of contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include contract start and end dates, the type of agreed services or products, pricing agreements, payment terms, termination rights, renewal options, and special conditions or clauses. They serve as the legal basis for the relationship between the parties and are crucial for clarifying rights and obligations, enforcing claims, and resolving disputes.
Payment Data: Payment data comprises all information required for processing payment transactions between buyers and sellers. This data is crucial for e-commerce, online banking, and any other form of financial transaction. They include details such as credit card numbers, bank details, payment amounts, transaction data, verification numbers, and billing information. Payment data may also include information about payment status, chargebacks, authorizations, and fees.
Audience Creation: Audience creation (English: “Custom Audiences”) refers to the process of defining target audiences for advertising purposes, e.g., for displaying advertisements. For example, based on a user’s interest in certain products or topics on the internet, it can be inferred that this user is interested in advertisements for similar products or the online shop where they viewed the products. “Lookalike Audiences” (or similar audiences) refers to when content deemed suitable is displayed to users whose profiles or interests presumably match those of the users for whom the profiles were created. For the purpose of creating Custom Audiences and Lookalike Audiences, cookies and web beacons are typically used.

Name	Anbieter	Zweck	Laufzeit
`cc_consent`	Dengler Hof im Fichtelgebirge		Session
`wfvt_*`	Wordfence	Sicherheits-Cookie für Wordfence.	30 Minuten
`wordpress_logged_in_*`	WordPress	Speichert die Anmeldedaten für eingeloggte Benutzer.	Session / 14 Tage
`wp-settings-*`	WordPress	Speichert Benutzereinstellungen im WordPress-Admin.	1 Jahr
`wp-settings-2`	Dengler Hof im Fichtelgebirge		Session
`wp-settings-time-2`	Dengler Hof im Fichtelgebirge		Session

Name	Anbieter	Zweck	Laufzeit
`_GRECAPTCHA`	Google reCAPTCHA	Wird für die Bot-Erkennung und Spam-Schutz verwendet.	6 Monate
`i18next`	Dengler Hof im Fichtelgebirge		Session
`wp-wpml_current_admin_language_d41d8cd98f00b204e9800998ecf8427e`	Dengler Hof im Fichtelgebirge		Session
`wp-wpml_current_language`	Dengler Hof im Fichtelgebirge		Session

Name	Anbieter	Zweck	Laufzeit
`_clck`	Microsoft Clarity	Speichert die Clarity Benutzer-ID und Einstellungen.	1 Jahr
`_clsk`	Microsoft Clarity	Verbindet mehrere Seitenaufrufe zu einer Session.	1 Tag
`_ga`	Google Analytics 4	Registriert eine eindeutige ID zur Generierung statistischer Daten.	2 Jahre
`_ga_*`	Google Analytics 4	Wird von Google Analytics verwendet, um den Sitzungsstatus zu speichern.	2 Jahre
`_hjid`	Hotjar	Setzt eine eindeutige ID für die Session.	1 Jahr
`_hjSession`	Hotjar	Hotjar-Cookie zur Identifikation der aktuellen Session.	30 Minuten
`_hjSessionUser`	Hotjar	Hotjar-Cookie für wiederkehrende Besucher.	1 Jahr
`_pk_id`	Matomo	Speichert eine eindeutige Besucher-ID.	13 Monate
`_pk_ref`	Matomo	Speichert die Referrer-Informationen.	6 Monate
`_pk_ses`	Matomo	Kurzzeitiger Cookie zur Verfolgung des Besucherverhaltens.	30 Minuten
`1P_JAR`	Google		Session
`CLID`	Microsoft Clarity	Identifiziert den Besucher über mehrere Sessions hinweg.	1 Jahr

Name	Anbieter	Zweck	Laufzeit
`__gads`	Google Ads	Wird verwendet um Werbung auszuliefern und deren Wirksamkeit zu messen.	2 Jahre
`_fbp`	Facebook	Wird von Facebook verwendet um Werbung zu schalten.	3 Monate
`_gcl_au`	Google Tag Manager	Wird von Google AdSense verwendet um die Werbungseffizienz zu messen.	3 Monate
`AnalyticsSyncHistory`	LinkedIn	Speichert Informationen zur Synchronisierung mit LinkedIn Analytics.	30 Tage
`bcookie`	LinkedIn	Browser-ID-Cookie für LinkedIn.	2 Jahre
`fr`	Facebook	Ermöglicht personalisierte Werbung auf Facebook.	3 Monate
`guest_id`	Twitter/X	Sammelt anonyme Daten für Werbezwecke.	2 Jahre
`IDE`	Google DoubleClick	Wird von Google DoubleClick verwendet, um Werbung zu schalten und erneut zu bewerben.	1 Jahr
`li_sugr`	LinkedIn	Wird für die Analyse von LinkedIn-Anzeigen verwendet.	3 Monate
`lidc`	LinkedIn	Wird von LinkedIn für Routing verwendet.	24 Stunden
`NID`	Google		Session
`personalization_id`	Twitter/X	Ermöglicht personalisierte Werbung auf Twitter.	2 Jahre
`test_cookie`	Google DoubleClick	Wird verwendet um zu prüfen, ob der Browser Cookies unterstützt.	15 Minuten

Privacy Policy

Preamble

Table of Contents

Controller

Contact Data Protection Officer

Overview of Processing Activities

Types of Data Processed

Special Categories of Data

Categories of Data Subjects

Purposes of Processing

Relevant Legal Bases

Security Measures

Transfer of Personal Data

International Data Transfers

General Information on Data Storage and Deletion

Rights of Data Subjects

Business Services

Business Processes and Procedures

Use of Online Platforms for Offering and Distribution Purposes

Provision of the Online Offering and Web Hosting

Use of Cookies

Blogs and Publication Media

Contact and Request Management

Web Analysis, Monitoring and Optimisation

Online Marketing

Customer Reviews and Rating Procedures

Plug-ins and Embedded Functions as Well as Content

Management, Organization, and Auxiliary Tools

Changes and Updates

Definitions of Terms

+49 9233 2404

Email

Approach