Privacy Policy

1. Categories of Personal Data

We process the following categories of personal data:

1. Master data (name, if provided)
2. Contact data (email address)
3. Content data (text entries via forms)
4. Usage data (access data)
5. Meta/communication data (IP addresses, browser information)

2. Recipients or Categories of Recipients of Personal Data

Insofar as we disclose data to other persons and companies such as web hosts, processors, or third parties in the course of our processing, transmit data to them, or otherwise grant them access to the data, this is done on the basis of a legal permission (e.g. if a transmission of data to third parties pursuant to Art. 6(1)(b) GDPR is necessary for the performance of a contract), if the data subjects have consented, or if a legal obligation provides for this.

3. Duration of Storage of Personal Data

The criterion for the duration of storage of personal data is the respective statutory retention period. After expiry of the period, the corresponding data is deleted, provided it is no longer required for the fulfillment of the purpose, the performance of a contract, or the initiation of a contract.

4. Transfers to Third Countries

Insofar as we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this occurs in the context of using third-party services or the disclosure or transmission of data to third parties, this only takes place if it is done to fulfill our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have data processed in a third country only if the special requirements of Art. 44 et seq. GDPR are met, i.e. processing takes place, for example, on the basis of special guarantees, such as the officially recognized determination of a data protection level corresponding to that of the EU, or compliance with officially recognized special contractual obligations (so-called "Standard Contractual Clauses").

1. Log Files

Each time our website is accessed by a data subject, general data and information are stored in the log files of our system:

1. Date and time of access (timestamp)
2. Request details and destination address (protocol version, HTTP method, referrer, user agent string)
3. Name of the retrieved file and amount of data transferred (requested URL including query string, size in bytes)
4. Notification of whether the access was successful (HTTP status code)

When using this general data and information, we do not draw any conclusions about the data subject. No personal evaluation or evaluation of data for marketing purposes or profiling takes place. The IP address is not stored in this context.

The legal basis for the temporary storage of data is Art. 6(1)(f) GDPR. The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the secure operation of our website. Consequently, there is no possibility of objection on the part of the data subject.

2. Malware Detection and Log Data Analysis

We collect log data generated during the operation of communications technology of our company and evaluate it in an automated manner, insofar as this is necessary to detect, limit, or eliminate disruptions or errors in the communications technology or to defend against attacks on our information technology or to detect and defend against malware.

The legal basis for the temporary storage and evaluation of data is Art. 6(1)(f) GDPR. The storage and evaluation of data is absolutely necessary for the provision of the website and its secure operation. Consequently, there is no possibility of objection on the part of the data subject.

3. Cookies & Local Storage

We do not use tracking cookies or client-side analytics scripts on our website. Where technically required functions necessitate the storage of information on the user's device (e.g. for storing the selected language preference in Local Storage), this is done solely to provide the function explicitly requested by the user. The legal basis is Section 25(2) No. 2 TTDSG.

4. Hosting

The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services, and technical maintenance services that we use for the purpose of operating our website.

In doing so, we or our processor process master data, contact data, content data, contract data, usage data, meta and communication data of users of our website on the basis of our legitimate interests in an efficient and secure provision of this online offering pursuant to Art. 6(1)(f) GDPR in conjunction with Art. 28 GDPR (conclusion of a data processing agreement).

5. Social Media

We do not use social media plugins on our website, but rather so-called social bookmarks (these are embedded as links to the corresponding services. When the user clicks on the embedded graphic, the user is redirected to the page of the respective provider). We would like to point out that, as the provider of our website, we have no knowledge of the data transmitted to the respective social media channel and used by them.

6. Use of PostHog

This website uses PostHog, analytics software by PostHog Inc., to analyze usage behavior on our website and improve our offering. The following technical usage data is processed:

1. pages visited
2. interactions (e.g. clicks & scrolls)
3. browser and device information

The analysis is performed exclusively server-side — no cookies are set and no client-side tracking script is embedded in the browser. The collected data is evaluated in aggregated form and is not used to create personal user profiles. IP addresses are used server-side solely for rough geographic classification (country, region) and are not stored afterward, making it impossible to identify individual users. For statistical counting of page visits, a daily-reset anonymous identifier is generated server-side that does not allow conclusions about individual persons. All data processing takes place exclusively on servers within the European Union.

For further information on data protection, please refer to PostHog's privacy policy: https://posthog.com/privacy

1. Use of HubSpot

All data collected through signup forms is stored and managed in HubSpot, a CRM solution by HubSpot Inc. Data is processed on HubSpot servers in the EU.

HubSpot is a software company from the USA. To legitimize the data transfer to the USA, HubSpot Inc. relies on EU Standard Contractual Clauses: https://legal.hubspot.com/dpa

For further information on data protection: HubSpot Privacy Policy, HubSpot GDPR Information.

2. Use of Brevo

For sending our newsletter, performance tracking (open rates, click behavior), and transactional emails, we use Brevo, a service of Brevo GmbH, Köpenicker Straße 126, 10179 Berlin. Email addresses and related data are stored on Brevo GmbH servers.

We have concluded a data processing agreement pursuant to Art. 28 GDPR with Brevo. For further information: Brevo Privacy Policy

3. Newsletter

When you subscribe to our newsletter, your email address is stored. You give your consent by confirming the confirmation link sent to you by email (double opt-in procedure). Only upon confirmation of this link will your data be stored for newsletter delivery.

The legal basis for data processing including performance tracking is your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 7(2) No. 3 UWG.

You can unsubscribe from the newsletter at any time via the unsubscribe link at the end of each issue. On the basis of our legitimate interests, unsubscribed email addresses will be retained for up to three years to prove previously given consent.

4. Early Access

When signing up for Early Access, your email address is stored. You will receive an invitation email and information about your access and essential service changes.

The legal basis is Art. 6(1)(b) or (f) GDPR (pre-contractual measures and legitimate interest).

5. Study Request

When submitting a study request, your email address is stored. We will contact you once by email regarding your request. Further contact is only made at your initiative.

The legal basis is Art. 6(1)(b) or (f) GDPR.

6. Partnership Request

When submitting a partnership request, your email address is stored. We will contact you once by email regarding your request. Further contact is only made at your initiative.

The legal basis is Art. 6(1)(b) or (f) GDPR.

1. Contacting Us by Email

It is possible to contact our company by email via the email addresses published on our website.

If you use this method of contact, the data you transmit (e.g. name, first name, address), but at least the email address, as well as the information contained in the email together with any personal data you transmit, will be stored for the purpose of contacting you and processing your request. In addition, the following data is collected by our system:

1. Date and time of the email

The legal basis for the processing of personal data in the context of emails transmitted to us is Art. 6(1)(b) or (f) GDPR.

2. Contacting Us by Letter

If you send us a letter, the data you transmit (e.g. name, first name, address) and the information contained in the letter together with any personal data you transmit will be stored for the purpose of contacting you and processing your request.

The legal basis for the processing of personal data in the context of letters transmitted to us is Art. 6(1)(b) or (f) GDPR.

3. Contacting Us via the Website Contact Form

If you use the contact form provided on our website for communication, the provision of your email address and the text of the inquiry is required. Without this data, your request submitted via the contact form cannot be processed. The provision of your first and last name is optional, but allows us to process your request more quickly and accurately.

In addition, the date and time of submission is collected by our system.

The legal basis for the processing of personal data in the context of contact form submissions is Art. 6(1)(b) or (f) GDPR.

The dispatch of incoming contact messages and any confirmation emails is handled by the service provider Brevo (see Section V). Brevo processes the transmitted data exclusively on our behalf on the basis of a data processing agreement pursuant to Art. 28 GDPR.

4. Email Hosting (all-inkl.COM)

Messages received via our contact form and by email are stored on mail servers of all-inkl.COM, Neue Medien Münnich, Hauptstraße 68, 02742 Friedersdorf. All-inkl processes the personal data contained therein (in particular name, email address, and message content) exclusively on our behalf to provide the email service.

The legal basis is Art. 6(1)(b) or (f) GDPR in conjunction with Art. 28 GDPR (data processing agreement). We have concluded a data processing agreement with all-inkl.COM. For further information: all-inkl.com/datenschutzinformationen

1. Right of Access

(1) The data subject has the right to obtain confirmation from the controller as to whether personal data concerning them are being processed; if this is the case, they have a right of access to such personal data and to the following information:

1. the purposes of the processing;
2. the categories of personal data being processed;
3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the existence of the right to request rectification or erasure of personal data concerning them or restriction of processing by the controller or a right to object to such processing;
6. the existence of the right to lodge a complaint with a supervisory authority;
7. where the personal data are not collected from the data subject, any available information as to their source;
8. the existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

(2) Where personal data are transferred to a third country or to an international organization, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

2. Right to Rectification

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to Erasure

(1) The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay, and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

1. The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
2. The data subject withdraws consent on which the processing is based pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and there is no other legal basis for the processing.
3. The data subject objects to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21(2) GDPR.
4. The personal data have been unlawfully processed.
5. The erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
6. The personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.

(2) Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

(3) Paragraphs 1 and 2 shall not apply to the extent that processing is necessary

1. for exercising the right of freedom of expression and information;
2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. for reasons of public interest in the area of public health in accordance with Art. 9(2)(h) and (i) as well as Art. 9(3) GDPR;
4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1), insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
5. for the establishment, exercise, or defense of legal claims.

4. Right to Restriction of Processing

(1) The data subject has the right to obtain from the controller restriction of processing where one of the following applies:

1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or
4. the data subject has objected to processing pursuant to Art. 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

(2) Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

5. Right to Data Portability

(1) The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where

1. the processing is based on consent pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR; and
2. the processing is carried out by automated means.

(2) In exercising the right to data portability pursuant to paragraph 1, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

6. Right to Object

The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise their right to object by automated means using technical specifications.

7. Right of Withdrawal

The data subject has the right to withdraw their data protection declaration of consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

8. Right to Lodge a Complaint with a Supervisory Authority

Every data subject has the right, without prejudice to any other administrative or judicial remedy, to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work, or the place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes this Regulation.