Data protection

Preamble

With the following privacy policy, we would like to explain to you what types of your personal data (hereinafter also referred to as “data”) we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offer”).
The terms used are not gender-specific.
Status: March 01, 2025

Table of contents

• Preamble
• Controller
• Overview of processing
• Relevant legal bases
• SecuriTable of contents
• measures
• Transfer of personal data
• International data transfers
• General information on data storage and erasure
• Rights of data subjects
• Business services
• Business processes and procedures
• Provision of online services and web hosting
• Use of cookies
• Registration, Registration, login and user account
• Contact and inquiry management
• Communication via messenger
• Newsletter and electronic notifications
• Promotional communication via email, post, fax or telephone
• Prize draws and competitions
• Surveys and interviews
• Web analysis, monitoring and optimization
• Online marketing
• Affiliate programs and affiliate links
• Customer reviews and evaluation procedures
• Presence in social networks (social media)
• Plug-ins and embedded functions and content

Person responsible

Florian Watermann Marquardtsweg 2
21217 Seevetal, Deutschland
E-Mail-Adresse: florian@watermann-immbobilien.de

Overview of processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed

• Inventory data.
• Payment data.
• Location data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication and process data.
• Event data (Facebook).
• Log data.

Categories of data subjects

• Beneficiaries and clients.
• Interested parties.
• Communication partners.
• Users.
• Competition and contest participants.
• Business and contractual partners.
• Participants.
• Customers.

Purposes of processing

• Provision of contractual services and fulfillment of contractual obligations.
  Communication.
• Security measures.
• Direct marketing.
• Reach measurement.
• Tracking.
• Office and organizational procedures.
• Conversion measurement.
• Target group formation.
• Affiliate tracking.
• Organizational and administrative procedures.
• Running prize draws and competitions.
• Feedback.
• Surveys and questionnaires.
• Marketing.
• Profiles with user-related information.
• Provision of our online services and user-friendliness.
• Information technology infrastructure.
• Public relations.
• Sales promotion.
• Business processes and business management procedures.

Relevant legal bases

Relevant legal bases according to the GDPR: Below you will find an overview of the legal bases of the GDPR on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases also apply in individual cases, we will inform you of these in the privacy policy.

Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given their consent to the processing of their personal data for a specific purpose or several specific purposes.
Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) – Processing is necessary for the performance of a contract to which the data subject
is party or in order to take steps at the request of the data subject prior to entering into a contract.
Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on the Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). In particular, the BDSG contains special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated decision-making in individual cases, including profiling. The data protection laws of the individual federal states may also apply.

Note on the applicability of the GDPR and Swiss FADP: This data protection notice serves to provide information in accordance with both the Swiss FADP and the General Data Protection Regulation (GDPR). For this reason, please note that the terms of the GDPR are used due to the broader geographical application and comprehensibility. In particular, instead of the terms “processing” of “personal data”, “overriding interest” and “sensitive personal data” used in the Swiss DPA, the terms ‘processing’ of “personal data”, “legitimate interest” and “special categories of data” used in the GDPR are used. However, the legal meaning of the terms will continue to be determined in accordance with the Swiss DPA within the scope of application of the Swiss DPA.

Security measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, safeguarding availability and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data and responses to data threats. Furthermore, we already take the protection of personal data into account during the development or selection of hardware, software and processes in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. If a website is secured by an SSL/TLS certificate, this is signaled by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and encrypted.

Data Disclosure in the Context of Personal Data Processing

In the course of processing personal data, it may be necessary to transfer or disclose such data to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to ensure their protection.

International Data Transfers

Data Processing in Third Countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if such processing occurs in the context of using third-party services or the disclosure or transfer of data to other persons, entities, or companies, this is only carried out in compliance with legal regulations. If the level of data protection in the third country is recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers occur only if the data protection level is otherwise ensured, in particular through standard contractual clauses (Art. 46 para. 2 lit. c GDPR), explicit consent, or in the case of contractual or legally required transfers (Art. 49 para. 1 GDPR). Additionally, we inform you of the basis for third-country transfers by individual providers from such countries, with adequacy decisions taking precedence. Information on third-country transfers and existing adequacy decisions can be found in the information provided by the European Commission:
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.
Under the “Data Privacy Framework” (DPF), the European Commission has also recognized the data protection level as adequate for certain U.S. companies as of July 10, 2023. A list of certified companies and further information about the DPF is available on the U.S. Department of Commerce website:
https://www.dataprivacyframework.gov/.
We inform you in our data privacy notices about which of the service providers we use are certified under the DPF.

General Information on Data Storage and Deletion

We delete personal data we process according to legal requirements once the underlying consents are withdrawn or there are no further legal bases for processing. This applies in cases where the original purpose for processing no longer exists or the data is no longer needed. Exceptions apply where legal obligations or specific interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal prosecution or the protection of the rights of other natural or legal persons, must be archived accordingly.
Our privacy notices include additional information about data retention and deletion specific to certain processing activities.
If multiple retention periods are specified for certain data, the longest period shall always apply.

If a period does not explicitly start on a particular date and is at least one year long, it automatically begins at the end of the calendar year in which the triggering event occurred. In ongoing contractual relationships, the triggering event is the termination or other conclusion of the legal relationship.
Data that is retained for legal or other reasons but no longer needed for its original purpose is processed solely for the reasons that justify its retention.

Additional Notes on Processing Activities, Procedures, and Services

Retention and Deletion Periods: The following general retention and archiving periods apply under German law:

• 10 years – Retention of books and records, annual financial statements, inventories, management reports, opening balances, and related organizational documents (§ 147 para. 1 no. 1 in conjunction with para. 3 AO; § 14b para. 1 UStG; § 257 para. 1 no. 1 in conjunction with para. 4 HGB).

• 8 years – Accounting vouchers, e.g., invoices and cost records (§ 147 para. 1 nos. 4 and 4a in conjunction with para. 3 sentence 1 AO; § 257 para. 1 no. 4 in conjunction with para. 4 HGB).

• 6 years – Other business documents: received commercial letters, copies of sent business letters, and other documents relevant for taxation (§ 147 para. 1 nos. 2, 3, 5 in conjunction with para. 3 AO; § 257 para. 1 nos. 2 and 3 in conjunction with para. 4 HGB).

• 3 years – Data required to consider potential warranty and compensation claims or similar contractual claims and associated inquiries based on past business experience and industry practices are stored for the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

Under the GDPR, you have various rights as a data subject, particularly under Articles 15–21 GDPR:

• Right to object: You may object at any time, on grounds relating to your particular situation, to the processing of your personal data under Art. 6 para. 1 lit. e or f GDPR, including profiling based on those provisions. You may also object to the processing of your personal data for direct marketing purposes at any time.

• Right of withdrawal: You may withdraw your consent at any time.

• Right of access: You have the right to obtain confirmation whether your personal data is being processed and access to the data and related information.

• Right to rectification: You have the right to have inaccurate or incomplete personal data corrected.

• Right to erasure and restriction: You may request deletion of your data or restriction of processing under legal conditions.

• Right to data portability: You have the right to receive your data in a structured, commonly used, and machine-readable format or to have it transferred to another controller.

• Right to lodge a complaint: You may lodge a complaint with a supervisory authority in your habitual residence, workplace, or the location of the alleged infringement.

Business Services

We process data of our contractual and business partners (collectively referred to as “contractual partners”) in the context of contractual and comparable legal relationships, including associated measures and communication (pre-contractual as well). This may include responding to inquiries.

We use this data to fulfill our contractual obligations, including service delivery, updates, warranty obligations, and remedy of service issues. We also use the data to protect our rights, for administrative tasks, and company organization. Furthermore, data is processed based on our legitimate interests in proper and efficient business management, and security measures to protect our business and our partners’ data and rights (e.g., involving telecom, transport, subcontractors, banks, tax or legal advisors, payment providers, or authorities).
We only disclose data to third parties to the extent necessary for the purposes mentioned above or to fulfill legal obligations.
We inform our contractual partners, prior to or during data collection (e.g., via forms, symbols, or personally), which data is required.

We delete data after the expiration of statutory warranty and similar obligations—generally after four years—unless data is stored in a customer account or must be retained longer for legal reasons (e.g., ten years for tax purposes). Data disclosed to us in the course of an order is deleted in accordance with applicable requirements, generally after completion of the order.

Types of data processed: Master data (e.g., name, address, contact details, customer number); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses, phone numbers); contract data (e.g., contract subject, duration, customer category).
Data subjects: Service recipients and contractors; prospects; business and contractual partners.
Purposes of processing: Fulfillment of contractual obligations; communication; administrative and organizational tasks; business operations.
Retention and deletion: According to the section “General Information on Data Storage and Deletion.”
Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR); legal obligation (Art. 6 para. 1 lit. c GDPR); legitimate interests (Art. 6 para. 1 lit. f GDPR).

Business Processes and Procedures

Data from clients, customers, patients, or business partners and other third parties is processed in the context of contractual or pre-contractual relationships. This processing supports business functions such as customer management, sales, payments, accounting, and project management.

Data is used to fulfill contractual obligations, manage business processes efficiently, handle transactions, optimize sales strategies, and maintain financial processes. It also supports rights protection, administration, and company organization.

Personal data may be shared with third parties when necessary for these purposes or legal compliance.

Types of data processed: Master data; payment data; contact data; content data (e.g., text or image messages and their associated metadata); contract data; usage data (e.g., page visits, session duration, click paths, device types); metadata, communication, and procedural data (e.g., IP addresses, timestamps, identifiers).
Data subjects: Customers, prospects, communication partners, business partners.
Purposes: Fulfilling contracts, administration, operations, security, providing online services.
Retention and deletion: See “General Information on Data Storage and Deletion.”
Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 lit. f GDPR).

Customer Accounts

Users can create accounts on our online services. Where necessary, we inform users of this requirement and the necessary information. Customer accounts are private and not indexable by search engines. We log IP addresses and access times for registration and abuse prevention purposes. Deleted accounts are erased unless data must be retained for legal reasons.
It is the customer’s responsibility to back up their data before account termination.
Legal bases: Contract performance and legitimate interests (Art. 6 para. 1 lit. b and f GDPR).

Provision of Online Services and Web Hosting

We process user data to provide online services, including IP addresses, necessary for delivering content and functions to browsers or devices.

Types of data processed: Usage data; metadata and communication data; log data (e.g., login events, access times); content data (e.g., messages, posts, author info).
Data subjects: Website visitors and online service users.
Purposes: Providing online services; IT infrastructure; security; contractual services.
Retention and deletion: As described in “General Information on Data Storage and Deletion.”
Legal basis: Legitimate interests (Art. 6 para. 1 lit. f GDPR).

Additional services and processing:

• Hosting via rented servers: Use of external hosting infrastructure; legal basis: legitimate interests (Art. 6 para. 1 lit. f GDPR).

• Self-hosted infrastructure: Use of our own servers; legal basis: legitimate interests (Art. 6 para. 1 lit. f GDPR).

• Access logs: Accesses are logged (e.g., visited pages, timestamps, IP, provider) for security and system stability.
  Log deletion: Max. 30 days unless needed for legal purposes.

Use of Cookies

The term “cookies” refers to functions that store and retrieve information on users’ devices. Cookies may be used for various purposes, such as ensuring the functionality, security, and user-friendliness of online services, as well as analyzing visitor traffic. We use cookies in accordance with legal regulations. Where required, we obtain users’ consent beforehand. If consent is not necessary, we rely on our legitimate interests. This applies when storing and retrieving information is essential to provide content and functions that are expressly requested. This includes saving settings and ensuring the functionality and security of our online services. Consent may be revoked at any time. We clearly inform users about the scope of usage and which cookies are used.

Legal Basis for Data Protection: Whether we process personal data using cookies depends on the user’s consent. If consent is given, it serves as the legal basis. Without consent, we rely on legitimate interests, as explained in this section and within the context of each service and process.

Storage Duration: Regarding storage duration, cookies are classified as follows:

• Temporary cookies (also: session cookies): These are deleted at the latest after a user leaves an online service and closes their device (e.g., browser or mobile app).

• Permanent cookies: These remain stored even after closing the device. They may store login status and display preferred content directly when the user revisits a site. Data collected via cookies may also be used for audience measurement. Unless otherwise specified (e.g., when obtaining consent), users should assume that such cookies are permanent and may be stored for up to two years.

General Information on Revocation and Objection (Opt-out): Users may revoke their consent at any time and object to processing in accordance with legal regulations, including through the privacy settings of their browser.

Types of Data Processed: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
Affected Individuals: Users (e.g., website visitors, users of online services).
Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Further Notes on Processing Procedures, Services, and Tools

Processing of Cookie Data Based on Consent:
We use a consent management solution that obtains users’ permission for cookies or the services and providers mentioned within the consent solution. This procedure handles obtaining, logging, managing, and revoking consent, particularly regarding the use of cookies and similar technologies that store, retrieve, and process information on users’ devices. Users can manage and withdraw their consents. Consent declarations are stored to avoid repeated requests and to comply with legal proof obligations. Storage occurs server-side and/or via a cookie (known as an opt-in cookie) or similar technology to associate consent with a specific user or device. Unless otherwise specified, consent may be stored for up to two years.

BorlabsCookie – Consent Management:
Procedure for collecting, logging, managing, and revoking consents, especially regarding cookies and similar technologies.
Provider: Operated under its own data protection responsibility.
Website: https://de.borlabs.io/borlabs-cookie/
Further Info: A unique user ID, language, types of consent, and the time of submission are stored on the server and in a cookie on the user’s device.

Registration, Login, and User Accounts

Users can create an account. Required data will be communicated and processed for account setup based on contractual obligations. This includes login data (username, password, email address).

During use of registration/login functions, we store the IP address and time of the action based on our and users’ legitimate interest in preventing abuse or unauthorized use. Data is not shared with third parties unless legally required or necessary to assert legal claims.

Users may receive notifications (e.g., technical changes) by email.

Types of Data Processed: Master data (e.g., full name, address, contact details, customer ID); contact data; content data (e.g., messages, posts); usage data; log data (e.g., login logs).
Affected Individuals: Users.
Purposes: Contract performance; security measures; organizational and administrative procedures; providing and optimizing online services.
Retention and Deletion: As per general data retention and deletion policy. Deleted upon account termination.
Legal Bases: Contract performance (Art. 6 para. 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 lit. f GDPR).

Further Information on Processing

Real Name Policy: Due to the nature of our community, we ask users to use real names. Pseudonyms are not permitted.
Legal Basis: Contract performance (Art. 6 para. 1 lit. b GDPR).
Profiles Are Not Publicly Visible.

Contact and Inquiry Management

When users contact us (e.g., by mail, contact form, email, phone, or social media), their information is processed as necessary to respond.

Types of Data Processed: Master, contact, content, usage, and metadata (e.g., IP addresses, timestamps).
Affected Individuals: Communication partners.
Purposes: Communication; administration; feedback collection; providing user-friendly online services.
Retention and Deletion: As per general retention policy.
Legal Bases: Legitimate interests (Art. 6 para. 1 lit. f GDPR); contract performance (Art. 6 para. 1 lit. b GDPR).

Contact Form: We process submitted data (usually name, contact info, and other necessary information) to respond appropriately.
Legal Bases: Contract performance (Art. 6 para. 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 lit. f GDPR).

Communication via Messenger

We use messengers for communication. Please consider encryption, metadata, and opt-out rights.

End-to-end encryption means content (messages and attachments) is not visible to third parties, not even the provider. Always use updated versions with encryption enabled.

Messenger providers may still process metadata (e.g., who communicated with whom, when, and from what device/location).

Legal Basis: If consent is requested before communication, it serves as the basis. Otherwise, communication is based on contractual measures or our legitimate interest in efficient, user-friendly communication. We never share contacts with messengers without consent.

Revocation, Objection, and Deletion: Consent can be withdrawn at any time.

Types of Data: Contact and content data, depending on the message.
Affected Individuals: Communication partners.
Purpose: Communication.
Retention and Deletion: As per general retention policy.
Legal Bases: Consent (Art. 6 para. 1 lit. a GDPR); contract performance (Art. 6 para. 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 lit. f GDPR).

Newsletter and Electronic Notifications

We only send newsletters with recipients’ consent or legal permission. The specified content determines the scope of consent. Usually, only the email address is required for sign-up. For personalized services, we may request additional details (e.g., name).

Deletion and Processing Restriction: Unsubscribed email addresses may be stored for up to three years based on our legitimate interest to prove previous consent. Processing is limited to potential legal defense. You may request immediate deletion with confirmation of prior consent. For persistent opt-outs, addresses may be added to a blocklist.

Logging Sign-up: Done for documentation and security purposes.
Third-party providers: If used, are selected based on secure and efficient delivery.

Content: Information about us, our services, promotions, and offers.

Types of Data: Contact, usage, and metadata; Event Data (Facebook Pixel – anonymized behavioral tracking).
Affected Individuals: Communication partners.
Purpose: Direct marketing; communication.
Legal Bases: Consent (Art. 6 para. 1 lit. a GDPR); legitimate interests (Art. 6 para. 1 lit. f GDPR).
Opt-out: Users may unsubscribe at any time using the link at the end of each newsletter or by contacting us directly.

Additional Details

Tracking Open & Click Rates: Newsletters contain “web beacons” – small files that are downloaded when emails are opened. They track browser data, IP address, and time, and help tailor content to user behavior. Data is stored in user profiles until deleted.
Legal Basis: Consent (Art. 6 para. 1 lit. a GDPR).

Facebook Messenger Broadcasts: End-to-end encrypted.
Provider: Meta Platforms Ireland Ltd.
Legal Basis: Legitimate interests (Art. 6 para. 1 lit. f GDPR).
Opt-out: Facebook Ad Preferences

Mailchimp: For email marketing, automation, contact management, and analytics.
Provider: Rocket Science Group, LLC, USA.
Legal Basis: Legitimate interests (Art. 6 para. 1 lit. f GDPR).
Website: https://mailchimp.com
Privacy Policy: Mailchimp Privacy

Sweepstakes and Competitions

We process personal data of sweepstakes and competition participants in compliance with applicable data protection regulations, to the extent that processing is required to provide, carry out, and manage the sweepstakes based on contractual necessity, participant consent, or our legitimate interests (e.g., ensuring the security of the sweepstakes or protecting our interests against misuse through possible collection of IP addresses during entry submission).

If participant contributions are published as part of the sweepstakes (e.g., for voting or showcasing entries or winners, or for coverage of the sweepstakes), we note that participants’ names may also be published. Participants may object to this at any time.

If the sweepstakes takes place via an online platform or social network (e.g., Facebook or Instagram, hereinafter referred to as “online platform”), the terms of use and privacy policies of the respective platforms also apply. In such cases, we point out that we are responsible for any participant information submitted as part of the sweepstakes, and any related inquiries should be directed to us.

Participant data will be deleted once the sweepstakes or competition ends and the data is no longer needed—for example, to notify winners or due to the absence of foreseeable follow-up questions. In general, participant data will be deleted no later than six months after the end of the sweepstakes. Data of winners may be retained longer, for example, to respond to queries regarding prizes or to fulfill prize delivery; the retention period depends on the nature of the prize and may last up to three years for items or services (e.g., to process warranty claims). Participant data may also be retained longer if the sweepstakes is reported on in online or offline media.

If data is collected for other purposes in the context of the sweepstakes (e.g., newsletter signup), its processing and retention are governed by the data protection information for that specific use.

Types of processed data: Identity data (e.g., full name, residential address, contact details, customer ID); contact details (e.g., postal and email addresses or phone numbers); content data (e.g., text or image submissions and related info such as authorship or creation date).
Data subjects: Sweepstakes and competition participants.
Purpose of processing: Conducting sweepstakes and competitions.
Retention and deletion: Deletion as described under “General Information on Data Retention and Deletion.”
Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Surveys and Polls

We conduct surveys and polls to gather information for the respective stated purpose. Our surveys and polls (hereinafter “surveys”) are evaluated anonymously. Personal data is only processed to the extent necessary for providing and technically conducting the surveys (e.g., IP address processing to display the survey in the user’s browser or using cookies to allow resumption of the survey).

Types of processed data: Identity data (e.g., full name, residential address, contact info, customer number); contact details (e.g., postal and email addresses or phone numbers); content data (e.g., messages and submissions, metadata such as authorship or timestamp); usage data (e.g., page views, time spent, click paths, intensity and frequency of use, device types, OS, content interaction).
Data subjects: Participants.
Purpose of processing: Feedback collection (e.g., via online forms); surveys and questionnaires (e.g., multiple-choice).
Retention and deletion: Deletion as described under “General Information on Data Retention and Deletion.”
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Additional services:
Google Forms – For creating and evaluating online forms, surveys, etc.;
Provider: Google Ireland Ltd.;
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR);
Privacy Policy | DPA

Web Analysis, Monitoring, and Optimization

Web analysis (also called “audience measurement”) is used to evaluate visitor traffic to our online services. It may include behavioral, interest-based, or demographic data, such as age or gender, as pseudonymized values. This allows us to understand usage patterns and improve our services.

We may also use testing procedures (A/B testing) to optimize content and features.

Unless stated otherwise, user profiles may be created, and data stored/retrieved from a browser or device. This includes visited pages, technical info like browser type and system, and usage times. IP addresses are also stored, but we use IP masking (i.e., pseudonymization by shortening IP addresses).

No clear personal data (like names or emails) is stored—only pseudonymous data. We and service providers do not know users’ actual identities.

Legal notes: Where user consent is obtained for third-party tools, that consent forms the legal basis. Otherwise, data is processed based on legitimate interests (efficiency and user-friendliness).

Types of processed data: Usage data (e.g., page views, click paths, device types, OS); meta and communication data (e.g., IP addresses, timestamps, IDs).
Data subjects: Users (e.g., website visitors, online service users).
Purpose of processing: Audience measurement, user profiling, service improvement.
Retention and deletion: As per “General Information on Data Retention and Deletion.” Cookies may be stored for up to 2 years.
Security: IP masking.
Legal basis: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Additional tools/services:

• Adobe Analytics | Privacy Policy

• Google Analytics (pseudonymized user ID, no full IPs in EU) | Privacy Policy

• Google Tag Manager (tag management only) | Privacy Policy

Online Marketing

We process personal data for online marketing purposes, which include the promotion of advertising content tailored to user interests and measuring marketing effectiveness.

User profiles are created and stored in cookies or via similar technologies. These may include visited pages, used networks, communication partners, browser/device info, and usage time. If users have given location access, this may also be used.

We use IP masking. No clear user data is stored—only pseudonyms. In some cases, clear data may be linked to profiles (e.g., if users are logged into a social network used for marketing).

Cookies can be read across different websites to display relevant content. In general, we only receive aggregate performance data (e.g., from conversion tracking).

Retention: Unless stated otherwise, cookies may be stored for up to 2 years.
Legal basis: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
User rights: See provider privacy policies and opt-out options.

• EU opt-out

• Canada

• USA

• Global

Types of processed data: Usage data (page views, time spent, click paths); meta and communication data (IP, timestamps, IDs).
Data subjects: Users (e.g., visitors to online services).
Purpose of processing: Audience measurement, tracking, targeting, profiling, conversion tracking.
Retention and deletion: As per “General Information on Data Retention and Deletion.”
Security: IP masking.

Additional tools/services:

• Google Ads & Conversion Tracking | Privacy Policy : We integrate the Google AdSense service, which enables the placement of personalized advertisements within our online offering. Google AdSense analyzes user behavior and uses this data to deliver targeted advertising tailored to the interests of our visitors. We receive financial compensation for each advertisement displayed or other forms of usage of these ads.
  Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
  Legal basis: Consent (Art. 6(1)(1)(a) GDPR);
  Website: https://marketingplatform.google.com;
  Privacy Policy: https://policies.google.com/privacy;
  Basis for third-country data transfers: Data Privacy Framework (DPF);
  Further information: Types of processing and data processed: https://business.safety.google/adsservices/.
  Data processing terms for Google advertising products: Information on the services, data processing terms between controllers, and standard contractual clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.

Affiliate Programs and Affiliate Links

We integrate so-called affiliate links or other references (which may include search masks, widgets, or discount codes) to offers and services from third-party providers into our online offering (collectively referred to as “affiliate links”). If users follow these affiliate links and subsequently engage with the offers, we may receive a commission or other benefits from the third-party providers (collectively referred to as “commission”).

In order to track whether users have taken up the offers provided through an affiliate link integrated into our website, it is necessary for the respective third-party providers to know that users followed an affiliate link within our online offering. The assignment of affiliate links to business transactions or other actions (e.g., purchases) serves solely for commission tracking and will be removed as soon as it is no longer required for this purpose.

For the above-mentioned tracking purposes, affiliate links may be supplemented with certain values that are part of the link itself or can be stored in other ways, such as in a cookie. These values may include, in particular, the referring website (referrer), the time of the visit, an online identifier of the website operator where the affiliate link was placed, an online identifier of the respective offer, the type of link used, the type of offer, and an online identifier of the user.

Legal Notes: If we ask users for their consent to the use of third-party services, the legal basis for data processing is consent. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, please also refer to the information on the use of cookies in this privacy policy.

Categories of Processed Data: Contract data (e.g., contract subject, term, customer category); usage data (e.g., page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g., IP addresses, timestamps, identifiers, involved individuals).

Data Subjects: Interested parties, users (e.g., website visitors, users of online services).
Purpose of Processing: Affiliate tracking.
Storage and Deletion: Deletion in accordance with the section “General Information on Data Storage and Deletion”.
Legal Bases: Consent (Art. 6(1)(1)(a) GDPR); legitimate interests (Art. 6(1)(1)(f) GDPR).

Further Notes on Processing Activities, Procedures and Services:

• Amazon Affiliate Program: Affiliate marketing program (Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates);
  Service provider: Amazon EU S.à r.l., 38 avenue John F. Kennedy, L-1855 Luxembourg;
  Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR);
  Website: https://www.amazon.de;
  Privacy Policy: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010;
  Basis for third-country transfers: Data Privacy Framework (DPF).

• Booking.com Affiliate Program: Affiliate marketing partner program;
  Service provider: Booking.com B.V., Herengracht 597, 1017 CE Amsterdam, Netherlands;
  Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR);
  Website: https://www.booking.com;
  Privacy Policy: https://www.booking.com/content/privacy.de.html.

Customer Reviews and Rating Systems

We participate in review and rating systems to evaluate, optimize, and promote our services. If users rate us via the involved platforms or procedures, or otherwise provide feedback, the terms of use and privacy policies of those platforms also apply. Generally, submitting a rating also requires registration with the respective provider.

To ensure that the reviewing persons have actually used our services, we may – with the customer’s consent – transmit the data required for this verification (including name, email address, and order or item number) to the respective review platform. This data is used solely to verify the authenticity of the user.

Categories of Processed Data: Contract data; usage data; meta, communication and procedural data.
Data Subjects: Service recipients and clients, users.
Purpose of Processing: Feedback collection (e.g., via online form), marketing.
Legal Basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Further Notes:

• Review Widgets: We integrate “review widgets” into our online offer. A widget is a functionality and content element embedded into our website that displays variable information. It can appear as a seal or badge. While the widget content is displayed on our website, it is retrieved in real time from the widget provider’s server to ensure that up-to-date content (such as current ratings) is shown. For this, a data connection is established between the user’s browser and the widget provider’s server, transmitting access data (including IP address). The widget provider also learns that the user visited our online offering. These details can be stored in cookies and used for analytics or advertising purposes.
  Legal Basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Social Media Presences

We maintain online presences on social networks and process user data within these platforms to communicate with users or provide information about us.

Please note that user data may be processed outside the European Union. This could pose risks for users, e.g., making it more difficult to assert their rights.

Additionally, user data is typically processed for market research and advertising purposes. User profiles may be created based on user behavior and interests, which may be used for targeted ads both within and outside the platforms. Cookies are typically stored on users’ devices for this purpose. These profiles may include data across different devices, especially if users are members of the platforms and logged in.

For detailed information on the respective processing activities and opt-out options, please refer to the privacy statements of the respective network operators.

Please note: For information requests and the assertion of data subject rights, contacting the platform providers directly is the most effective option, as they have direct access to the relevant data. However, if you need assistance, feel free to contact us.

Categories of Processed Data: Contact data; content data; usage data; meta, communication and procedural data.
Data Subjects: Users (e.g., website visitors, users of online services).
Purposes of Processing: Communication, feedback collection, public relations.
Storage and Deletion: In accordance with “General Information on Data Storage and Deletion.”
Legal Basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Further Information on Processing Operations, Procedures, and Services:

Instagram: Social network that enables sharing of photos and videos, commenting and favoriting posts, sending messages, subscribing to profiles and pages.
Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Website: https://www.instagram.com
Privacy policy: https://privacycenter.instagram.com/policy/
Basis for third-country transfers: Data Privacy Framework (DPF).

Facebook Pages: Profiles within the Facebook social network – we are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data from visitors to our Facebook page (“Fanpage”). These data include information about the types of content users view or interact with, or actions they take (see “Things you and others do and provide” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), and information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see “Device Information” in the Facebook Data Policy). As explained under “How do we use this information?” in the Facebook Data Policy, Facebook also collects and uses information to provide analytics services (“Page Insights”) to page operators, helping them understand how people interact with their pages and content.

We have concluded a special agreement with Facebook (“Page Insights Controller Addendum”, https://www.facebook.com/legal/terms/page_controller_addendum), which outlines the security measures Facebook must implement and confirms Facebook’s commitment to uphold data subject rights (e.g., users can request information or deletion directly from Facebook). User rights (especially rights to access, erasure, objection, and complaint to a supervisory authority) are not restricted by this agreement.
Further information can be found under “Information about Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data).
Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, an EU-based company. Further data processing is solely the responsibility of Meta Platforms Ireland Limited, especially with regard to data transfers to its U.S.-based parent company, Meta Platforms, Inc.
Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Website: https://www.facebook.com
Privacy policy: https://www.facebook.com/privacy/policy/
Basis for third-country transfers: Data Privacy Framework (DPF).

LinkedIn: Social network – we are jointly responsible with LinkedIn Ireland Unlimited Company for collecting (but not further processing) data from visitors used to generate “Page Insights” (statistics) on our LinkedIn profiles. These data include information about the types of content users view or interact with, and their actions. Device information is also collected (e.g., IP addresses, OS, browser type, language settings, cookies), along with user profile details like job title, country, industry, seniority, company size, and employment status.

LinkedIn’s data protection details can be found at: https://www.linkedin.com/legal/privacy-policy
We have a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum”, https://legal.linkedin.com/pages-joint-controller-addendum), which outlines the required security measures and LinkedIn’s commitment to uphold user rights. User rights (especially the rights to access, deletion, objection, and complaint) are not restricted by this agreement. Joint responsibility is limited to collection and transfer of data to LinkedIn Ireland Unlimited Company, an EU-based company. Further data processing is the sole responsibility of LinkedIn Ireland Unlimited Company, particularly concerning data transfers to LinkedIn Corporation in the U.S.
Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Website: https://www.linkedin.com
Privacy policy: https://www.linkedin.com/legal/privacy-policy
Basis for third-country transfers: Data Privacy Framework (DPF).
Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

X (formerly Twitter): Social network.
Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Website: https://x.com
Privacy policy: https://x.com/de/privacy

YouTube: Social network and video platform.
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Privacy policy: https://policies.google.com/privacy
Basis for third-country transfers: Data Privacy Framework (DPF).
Opt-out option: https://myadcenter.google.com/personalizationoff

Xing: Social network.
Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Website: https://www.xing.com/
Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung