Privacy Policy

Introduction

With the following Privacy Policy, we would like to inform you about the types of personal data (hereinafter also referred to as “data”) that we process, the purposes for which we process them, and the extent of such processing. This Privacy Policy applies to all processing of personal data carried out by us, both in the course of providing our services and, in particular, on our websites, mobile applications, and external online presences, such as our social media profiles (hereinafter collectively referred to as the “Online Services”).

The terms used are gender-neutral.

Last updated: November 17, 2022

Table of Contents

• Introduction
• Controller
• Overview of Processing Activities
• Legal Bases for Processing
• Security Measures
• Transfer of Personal Data
• Data Processing in Third Countries
• Deletion of Data
• Use of Cookies
• Business Services
• Payment Methods
• Provision of Online Services and Web Hosting
• Blogs and Publications
• Contact and Inquiry Management
• Newsletter and Electronic Notifications
• Marketing Communications via Email, Mail, Fax or Telephone
• Web Analytics, Monitoring and Optimization
• Social Media Presence
• Online Marketing
• Plugins, Embedded Functions and Content
• Changes and Updates to this Privacy Policy
• Rights of Data Subjects
• Definitions

Controller

Maske-Wien / Makeup Studio
Mollardgasse 38, Top 6-7 / Entrance Brückengasse
A-1060 Vienna, Austria

Authorized Representative: Mag.art Katharina Gräser
Email: katharina@maske-wien.com
Phone: +43 699 11 27 02 79

Legal Notice:

Legal Notice

Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes for which they are processed, and the categories of data subjects affected.

Types of Data Processed

• Master Data.
• Payment Data.
• Location Data.
• Contact Data.
• Content Data.
• Contract Data.
• Usage Data.
• Meta/Communication Data.

Categories of Data Subjects

• Customers.
• Prospective Customers.
• Communication Partners.
• Users.
• Business and Contractual Partners.
• Students / Participants.

Purposes of Processing

• Provision of Contractual Services and Customer Support.
• Contact Requests and Communication.
• Security Measures.
• Direct Marketing.
• Reach Measurement and Analytics.
• Administrative and Organizational Procedures.
• Management and Response to Inquiries.
• Server Monitoring and Error Detection.
• Firewall Protection.
• Feedback Collection.
• Marketing.
• User-Related Profiles.
• Provision and Improvement of Our Online Services.
• Information Technology Infrastructure.

Legal Bases for Processing

Below you will find an overview of the legal bases under the General Data Protection Regulation (GDPR) on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your country of residence or in our country of establishment. If more specific legal bases are applicable in individual cases, we will inform you of them in this Privacy Policy.

• Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a Contract and Pre-Contractual Requests (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal Obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate Interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data.

In addition to the provisions of the General Data Protection Regulation (GDPR), national data protection laws apply in Austria. This includes, in particular, the Austrian Data Protection Act (Datenschutzgesetz – DSG). The Austrian Data Protection Act contains specific provisions regarding the right of access, the right to rectification or erasure, the processing of special categories of personal data, processing for other purposes, data transfers, and automated decision-making in individual cases.

Security Measures

In accordance with legal requirements and taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to data, as well as access, input, disclosure, availability, and segregation of data. Furthermore, we have established procedures to ensure the exercise of data subjects’ rights, the deletion of data, and responses to data security incidents. We also take the protection of personal data into account during the development and selection of hardware, software, and procedures, in accordance with the principles of privacy by design and privacy by default.

TLS Encryption (HTTPS): To protect the data you transmit through our online services, we use TLS encryption. You can recognize such encrypted connections by the “https://” prefix in your browser’s address bar.

Transfer of Personal Data

As part of our processing of personal data, it may be necessary to transfer or disclose such data to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers entrusted with IT-related tasks or providers of services and content integrated into our website. In such cases, we comply with the applicable legal requirements and, in particular, conclude appropriate contracts and agreements with the recipients of your data to ensure its protection.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if processing takes place through the use of third-party services or the disclosure or transfer of data to other individuals, entities, or companies, this will only occur in accordance with the applicable legal requirements.

Subject to explicit consent or legally or contractually required transfers, we only process or permit the processing of data in third countries that provide an adequate level of data protection, on the basis of contractual obligations through the European Commission’s Standard Contractual Clauses, certifications, or binding internal data protection rules (Articles 44–49 GDPR). For further information, please visit the European Commission’s information page:
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de

Deletion of Data

The data processed by us will be deleted in accordance with legal requirements as soon as the consent permitting its processing is withdrawn or other legal grounds no longer apply (for example, if the purpose for processing the data no longer exists or the data is no longer required for that purpose).

If data is not deleted because it is required for other legally permissible purposes, its processing will be restricted to those purposes. This means that the data will be blocked and not processed for any other purpose. This applies, for example, to data that must be retained for commercial or tax law reasons, or whose storage is necessary for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person.

Our privacy notices may also contain additional information regarding the retention and deletion of data that takes precedence for the respective processing activities.

Use of Cookies

Cookies are small text files or other storage technologies that store information on end-user devices and retrieve information from those devices. For example, they may be used to store login status in a user account, shopping cart contents in an online store, accessed content, or functions used within an online service. Cookies may also be used for various purposes, such as ensuring functionality, security, and convenience of online services, as well as generating visitor analytics.

Information on Consent: We use cookies in accordance with applicable legal requirements. Therefore, we obtain users’ prior consent unless such consent is not legally required. Consent is not necessary in particular where the storage and retrieval of information, including cookies, is strictly necessary to provide users with a telemedia service explicitly requested by them (i.e., our online services). Revocable consent is clearly communicated to users and includes information about the respective use of cookies.

Information on Data Protection Legal Bases: The legal basis on which we process users’ personal data through cookies depends on whether we request users’ consent. If users provide consent, the legal basis for processing their data is that consent. Otherwise, data processed through cookies is processed on the basis of our legitimate interests (for example, the efficient operation of our online services and the improvement of usability) or, where necessary, to fulfill our contractual obligations when the use of cookies is required for that purpose. The specific purposes for which cookies are processed are explained throughout this Privacy Policy or within our consent and processing procedures.

Storage Duration: With regard to storage duration, the following types of cookies are distinguished:

• Temporary Cookies (also known as Session Cookies): Temporary cookies are deleted at the latest when a user leaves an online service and closes their device (e.g., browser or mobile application).
• Persistent Cookies: Persistent cookies remain stored even after the device has been closed. For example, login status can be saved, or preferred content can be displayed directly when the user revisits a website. Data collected through cookies may also be used for audience measurement and analytics purposes. Unless we provide users with explicit information regarding the type and storage duration of cookies (e.g., when obtaining consent), users should assume that cookies may be persistent and stored for up to two years.

General Information on Withdrawal of Consent and Objection (Opt-Out): Users may withdraw any consent they have given at any time and may also object to processing in accordance with Article 21 GDPR. Users may exercise their objection through their browser settings, for example by disabling the use of cookies (although doing so may limit the functionality of our online services). Objections to the use of cookies for online marketing purposes may also be submitted via the following websites: https://optout.aboutads.info and https://www.youronlinechoices.com/.

Additional Information on Processing Activities, Procedures, and Services:

• Processing of Cookie Data Based on Consent: We use a cookie consent management procedure through which users’ consent to the use of cookies, as well as the processing activities and providers specified within the consent management framework, can be obtained, managed, and withdrawn. The consent declaration is stored so that it does not have to be requested repeatedly and so that compliance with legal obligations can be demonstrated. Storage may occur on the server and/or in a cookie (so-called opt-in cookie) or through comparable technologies in order to assign consent to a user or their device. Subject to provider-specific information regarding cookie management services, the following applies: consent data may be stored for up to two years. A pseudonymous user identifier is created and stored together with the time consent was given, details regarding the scope of consent (e.g., categories of cookies and/or service providers), and information about the browser, operating system, and device used.
• BorlabsCookie: Cookie Consent Management; Service Provider: Hosted locally on our server, no data is shared with third parties; Website: https://de.borlabs.io/borlabs-cookie/; Additional Information: An individual user ID, language settings, consent categories, and the time consent was granted are stored both server-side and in a cookie on the user’s device.

Business Services

We process the data of our contractual and business partners, such as customers and prospective customers (collectively referred to as “contractual partners”), within the framework of contractual and comparable legal relationships, related measures, and communications with contractual partners (including pre-contractual communications), for example, to respond to inquiries.

We process this data in order to fulfill our contractual obligations. These obligations include, in particular, the provision of agreed services, any update obligations, and remedies for warranty claims or other service disruptions. In addition, we process data to safeguard our rights and for administrative tasks associated with these obligations, as well as for organizational management purposes.

Furthermore, we process data based on our legitimate interests in maintaining proper and efficient business operations and implementing security measures to protect our contractual partners and our business operations from misuse, risks to their data, confidential information, and legal rights (for example, through the involvement of telecommunications providers, transport services, subcontractors, banks, tax advisors, legal advisors, payment service providers, or public authorities).

Within the scope of applicable law, we only disclose contractual partner data to third parties where necessary for the purposes described above or to fulfill legal obligations. Contractual partners will be informed about additional forms of processing, such as marketing activities, within this Privacy Policy.

We inform contractual partners of which data is required for the aforementioned purposes before or during data collection, for example through online forms, special markings (e.g., colors or symbols such as asterisks), or through direct communication.

We delete data after the expiration of statutory warranty periods and comparable obligations, generally after four years, unless the data is stored in a customer account or must be retained for legal archiving purposes. Under Austrian law, retention periods are generally ten years for tax-related documents, accounting records, inventories, opening balance sheets, annual financial statements, supporting documentation, and accounting records, and six years for received and sent business correspondence. These periods begin at the end of the calendar year in which the relevant record, transaction, or document was created.

Where we use third-party providers or platforms to provide our services, the terms and privacy policies of those providers or platforms apply in the relationship between users and the respective providers.

• Types of Data Processed: Master Data (e.g., names, addresses); Payment Data (e.g., bank details, invoices, payment history); Contact Data (e.g., email addresses, telephone numbers); Contract Data (e.g., subject matter of the contract, contract duration, customer category).
• Categories of Data Subjects: Prospective Customers; Business and Contractual Partners; Students / Participants.
• Purposes of Processing: Provision of Contractual Services and Customer Support; Contact Requests and Communication; Administrative and Organizational Procedures; Management and Response to Inquiries.
• Legal Bases: Performance of a Contract and Pre-Contractual Requests (Art. 6(1)(b) GDPR); Legal Obligation (Art. 6(1)(c) GDPR); Legitimate Interests (Art. 6(1)(f) GDPR).

Additional Information on Processing Activities, Procedures, and Services:

• Educational and Training Services: We process the data of participants in our educational and training programs (collectively referred to as “trainees”) in order to provide our training services. The nature, scope, purpose, and necessity of processing depend on the underlying contractual and training relationship. Processing activities may also include performance assessments and evaluations of both our services and those of instructors. In the course of our activities, we may also process special categories of personal data, particularly health-related information and data revealing ethnic origin, political opinions, religious or philosophical beliefs. Where required, we obtain explicit consent from trainees and otherwise process such special categories of data only when necessary for providing training services, healthcare, social protection, or safeguarding vital interests. Legal Basis: Performance of a Contract and Pre-Contractual Requests (Art. 6(1)(b) GDPR).
• Artistic and Literary Services: We process the data of our clients in order to enable them to select, purchase, or commission services or works, as well as related activities, payment processing, delivery, execution, or provision of such services. Required information is identified as such during the ordering, booking, or contractual process and includes information necessary for delivery, invoicing, and communication. Legal Basis: Performance of a Contract and Pre-Contractual Requests (Art. 6(1)(b) GDPR).

Payment Methods

Within the framework of contractual and other legal relationships, legal obligations, or based on our legitimate interests, we provide data subjects with efficient and secure payment options and use, in addition to banks and financial institutions, other service providers (collectively referred to as “payment service providers”).

The data processed by payment service providers includes master data such as name and address, banking information such as account numbers or credit card numbers, passwords, TANs, verification codes, as well as contract-related, transaction-related, and recipient-related information. This information is required to process transactions. However, the entered data is processed and stored solely by the respective payment service providers. This means that we do not receive any account or credit card information, but only information confirming or rejecting a payment. In certain cases, payment service providers may transfer data to credit agencies for identity and creditworthiness checks. Please refer to the terms and conditions and privacy policies of the respective payment service providers for further details.

The terms and conditions and privacy policies of the respective payment service providers apply to payment transactions and can be accessed on their websites or transaction applications. We also refer to these documents for further information and for exercising rights of withdrawal, access, and other data subject rights.

• Types of Data Processed: Master Data (e.g., names, addresses); Payment Data (e.g., bank details, invoices, payment history); Contract Data (e.g., contract subject matter, duration, customer category); Usage Data (e.g., visited websites, interest in content, access times); Meta/Communication Data (e.g., device information, IP addresses).
• Categories of Data Subjects: Customers; Prospective Customers.
• Purposes of Processing: Provision of Contractual Services and Customer Support.
• Legal Bases: Performance of a Contract and Pre-Contractual Requests (Art. 6(1)(b) GDPR).

Additional Information on Processing Activities, Procedures, and Services:

• Mastercard: Payment services (technical integration of online payment methods); Service Provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; Legal Basis: Performance of a Contract and Pre-Contractual Requests (Art. 6(1)(b) GDPR); Website: https://www.mastercard.de/de-de.html; Privacy Policy: https://www.mastercard.de/de-de/datenschutz.html.
• Visa: Payment services (technical integration of online payment methods); Service Provider: Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, United Kingdom; Legal Basis: Performance of a Contract and Pre-Contractual Requests (Art. 6(1)(b) GDPR); Website: https://www.visa.de; Privacy Policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html.

Provision of Online Services and Web Hosting

We process users’ data in order to provide our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functionality of our online services to the user’s browser or device.

• Types of Data Processed: Usage Data (e.g., visited websites, interest in content, access times); Meta/Communication Data (e.g., device information, IP addresses); Content Data (e.g., entries submitted through online forms).
• Categories of Data Subjects: Users (e.g., website visitors and users of online services).
• Purposes of Processing: Provision of Our Online Services and User Friendliness; Information Technology Infrastructure (operation and provision of information systems and technical equipment such as computers and servers); Security Measures; Server Monitoring and Error Detection; Firewall Protection.
• Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR).

Additional Information on Processing Activities, Procedures, and Services:

• Provision of Online Services on Rented Hosting Infrastructure: To provide our online services, we use storage space, computing capacity, and software that we rent or otherwise obtain from a hosting provider (“web host”); Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).
• Collection of Access Data and Log Files: Access to our online services is logged in so-called server log files. Server log files may include the address and name of accessed web pages and files, date and time of access, amount of data transferred, notification of successful retrieval, browser type and version, operating system, referrer URL (previously visited page), IP addresses, and the requesting provider. Server log files may be used for security purposes, such as preventing server overload (particularly in the case of abusive attacks, such as DDoS attacks), and to ensure server stability and performance. Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Data Retention: Log file information is stored for a maximum period of 30 days and then deleted or anonymized. Data that must be retained for evidentiary purposes is exempt from deletion until the respective incident has been fully resolved.
• World4You: Services relating to information technology infrastructure and related services (e.g., hosting space and computing resources); Service Provider: World4You Internet Services GmbH, Hafenstrasse 35, 4020 Linz, Austria; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: www.world4you.com; Privacy Policy: https://www.world4you.com/de/unternehmen/datenschutzerklaerung.html; Data Processing Agreement: Provided by the service provider.
• WordPress.com: Hosting and software for creating, publishing, and operating websites, blogs, and other online services; Service Provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Place, Dublin, D02 AY86, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://wordpress.com; Privacy Policy: https://automattic.com/de/privacy/; Data Processing Agreement: https://wordpress.com/support/data-processing-agreements/.
• Sucuri: Firewall, security, and error detection services; Service Provider: Sucuri LLC, a GoDaddy company, 6060 Center Drive, Suite 500, Los Angeles, CA 90045, USA; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Privacy Policy: https://sucuri.net/privacy.
• Wordfence: Firewall, security, and error detection services; Service Provider: Defiant, Inc., 800 5th Ave Ste 4100, Seattle, WA 98104, USA; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.wordfence.com; Privacy Policy: https://www.wordfence.com/privacy-policy/; Standard Contractual Clauses (Safeguarding Data Protection for International Transfers): https://www.wordfence.com/standard-contractual-clauses/.

Blogs and Publications

We use blogs or comparable means of online communication and publication (hereinafter referred to as the “Publication Medium”). Reader data is processed only to the extent necessary for the operation of the publication medium, communication between authors and readers, or for security purposes. For all other aspects, we refer to the information regarding the processing of visitors’ data contained within this Privacy Policy.

• Types of Data Processed: Master Data (e.g., names, addresses); Contact Data (e.g., email addresses, telephone numbers); Content Data (e.g., information entered into online forms); Usage Data (e.g., visited websites, interest in content, access times); Meta/Communication Data (e.g., device information, IP addresses).
• Categories of Data Subjects: Users (e.g., website visitors and users of online services).
• Purposes of Processing: Provision of Contractual Services and Customer Support; Feedback (e.g., collection of feedback through online forms); Provision of Our Online Services and User Friendliness; Security Measures; Management and Response to Inquiries.
• Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR).

Additional Information on Processing Activities, Procedures, and Services:

• Comments and Contributions: If users leave comments or other contributions, their IP addresses may be stored based on our legitimate interests. This serves our security interests in case someone posts unlawful content (such as defamatory statements, prohibited political propaganda, etc.). In such cases, we may be held responsible for the comment or contribution and therefore have an interest in identifying the author. Furthermore, based on our legitimate interests, we reserve the right to process user information for spam detection purposes. On the same legal basis, in the event of surveys or polls, we may store users’ IP addresses for the duration of the survey and use cookies to prevent multiple submissions. Personal information, contact details, website information, and content provided in comments and contributions will remain stored until the user objects to such storage. Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).
• Akismet Anti-Spam Protection: We use the “Akismet” service on the basis of our legitimate interests. Akismet helps distinguish genuine comments from spam comments. To do this, all comment data is transmitted to a server in the United States, where it is analyzed and stored for comparison purposes for four days. If a comment is classified as spam, the data may be stored beyond that period. This information includes the submitted name, email address, IP address, comment content, referrer, browser information, operating system details, and the time the comment was submitted. Users may use pseudonyms or refrain from entering a name or email address. Users can prevent the transmission of data entirely by not using our comment system. While this is possible, we are currently unaware of equally effective alternatives. Service Provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Place, Dublin, D02 AY86, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://automattic.com; Privacy Policy: https://automattic.com/privacy.
• UpdraftPlus: Backup software and backup storage; Service Provider: Simba Hosting Ltd., 11 Barringer Way, St. Neots, Cambridgeshire, PE19 1LW, United Kingdom; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://updraftplus.com/; Privacy Policy: https://updraftplus.com/data-protection-and-privacy-centre/.

Contact and Inquiry Management

When you contact us (e.g., via contact form, email, telephone, or social media), as well as within the framework of existing user or business relationships, the information provided by the requesting party is processed to the extent necessary to respond to contact inquiries and any requested actions.

• Types of Data Processed: Contact Data (e.g., email addresses, telephone numbers); Content Data (e.g., information entered into online forms); Usage Data (e.g., visited websites, interest in content, access times); Meta/Communication Data (e.g., device information, IP addresses).
• Categories of Data Subjects: Communication Partners.
• Purposes of Processing: Contact Requests and Communication; Management and Response to Inquiries; Feedback (e.g., collection of feedback through online forms); Provision of Our Online Services and User Friendliness.
• Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR); Performance of a Contract and Pre-Contractual Requests (Art. 6(1)(b) GDPR).

Additional Information on Processing Activities, Procedures, and Services:

• Contact Form: When users contact us through our contact form, email, or other communication channels, we process the information provided for the purpose of handling the request submitted. Legal Bases: Performance of a Contract and Pre-Contractual Requests (Art. 6(1)(b) GDPR) and Legitimate Interests (Art. 6(1)(f) GDPR).

Newsletter and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter referred to as “Newsletters”) only with the recipient’s consent or where otherwise permitted by law. If the contents of a newsletter are specifically described during the subscription process, those contents are decisive for the user’s consent. Otherwise, our newsletters contain information about our services and our company.

To subscribe to our newsletters, it is generally sufficient to provide your email address. However, we may request your name for personalized communication or other information necessary for the purposes of the newsletter.

Double Opt-In Procedure: Subscription to our newsletter generally follows a double opt-in procedure. After registering, you will receive an email requesting confirmation of your subscription. This confirmation is necessary to prevent anyone from subscribing using someone else’s email address. Newsletter subscriptions are logged in order to demonstrate compliance with legal requirements. This includes storing the time of registration, the time of confirmation, and the IP address used. Changes to data stored with the newsletter service provider are also logged.

Deletion and Restriction of Processing: We may retain unsubscribed email addresses for up to three years based on our legitimate interests in order to demonstrate previously granted consent before deleting them. Processing of such data is limited solely to the purpose of defending potential legal claims. An individual request for deletion is possible at any time, provided that the previous existence of consent is confirmed. Where there is a legal obligation to permanently respect objections, we reserve the right to store the email address solely for this purpose in a suppression list (so-called “blocklist”).

The logging of the subscription process is carried out on the basis of our legitimate interests for the purpose of demonstrating that the subscription procedure was conducted properly. Where we engage a service provider for the sending of emails, this is done on the basis of our legitimate interests in maintaining an efficient and secure mailing system.

• Types of Data Processed: Master Data (e.g., names, addresses); Contact Data (e.g., email addresses, telephone numbers); Meta/Communication Data (e.g., device information, IP addresses).
• Categories of Data Subjects: Communication Partners.
• Purposes of Processing: Direct Marketing (e.g., via email or postal mail).
• Legal Basis: Consent (Art. 6(1)(a) GDPR).
• Right to Object (Opt-Out): You may unsubscribe from our newsletter at any time, withdraw your consent, or object to receiving future communications. A link to unsubscribe can be found at the end of each newsletter, or you may use any of the contact methods provided above, preferably by email.

Marketing Communications via Email, Mail, Fax, or Telephone

We process personal data for the purpose of marketing communications, which may be carried out through various channels such as email, telephone, postal mail, or fax, in accordance with applicable legal requirements.

Recipients have the right to withdraw any consent they have given at any time or to object to marketing communications at any time.

Following a withdrawal of consent or an objection, we store the data required to demonstrate our previous authorization to contact or send communications for up to three years after the end of the year in which the withdrawal or objection occurred, based on our legitimate interests. Processing of this data is limited to the purpose of defending potential legal claims. Based on our legitimate interest in permanently respecting users’ withdrawal requests or objections, we also store the information necessary to prevent future contact (e.g., email address, telephone number, or name, depending on the communication channel used).

• Types of Data Processed: Master Data (e.g., names, addresses); Contact Data (e.g., email addresses, telephone numbers).
• Categories of Data Subjects: Communication Partners.
• Purposes of Processing: Direct Marketing (e.g., via email or postal mail).
• Legal Bases: Consent (Art. 6(1)(a) GDPR); Legitimate Interests (Art. 6(1)(f) GDPR).

Web Analytics, Monitoring and Optimization

Web analytics (also referred to as “reach measurement”) is used to evaluate visitor traffic to our online services and may include behavior, interests, or demographic information of visitors, such as age or gender, in pseudonymized form. Through web analytics, we can determine, for example, at what times our online services, functions, or content are most frequently used or revisited. We can also identify areas that require optimization.

In addition to web analytics, we may use testing procedures to evaluate and optimize different versions of our online services or individual components thereof.

Unless otherwise stated below, profiles may be created for these purposes, meaning data associated with a specific usage process may be combined, and information may be stored on or retrieved from a browser or device. Information collected may include, in particular, visited web pages, content interactions, technical details such as browser type, operating system, and usage times. Where users have consented to the collection of their location data by us or by the providers of services we use, location data may also be processed.

Users’ IP addresses are also processed. However, we use IP masking (i.e., pseudonymization through truncation of the IP address) to protect users. In general, no directly identifiable user information (such as names or email addresses) is stored as part of web analytics, A/B testing, or optimization activities. Instead, pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of users, but only the information stored within their profiles for the purposes of these procedures.

• Types of Data Processed: Usage Data (e.g., visited websites, interest in content, access times); Meta/Communication Data (e.g., device information, IP addresses).
• Categories of Data Subjects: Users (e.g., website visitors and users of online services).
• Purposes of Processing: Reach Measurement (e.g., access statistics and recognition of returning visitors); Profiles Containing User-Related Information.
• Security Measures: IP Masking (Pseudonymization of IP Addresses).
• Legal Basis: Consent (Art. 6(1)(a) GDPR).

Additional Information on Processing Activities, Procedures, and Services:

• Google Analytics 4: We use Google Analytics to conduct user analysis based on a pseudonymous user identification number. This identification number does not contain any unique personal data such as names or email addresses. It is used to associate analytical information with a device in order to determine which content users accessed during one or more sessions, which search terms they used, whether they returned to content, or how they interacted with our online services. The time and duration of use, traffic sources, and technical details of devices and browsers are also stored. Pseudonymous user profiles may be created using information from multiple devices, and cookies may be used for this purpose.

  Analytics provides higher-level geographic location data by deriving metadata from IP address lookups, including city (and corresponding latitude and longitude), continent, country, region, and subcontinent. To ensure the protection of user data within the EU, Google receives and processes all user data through domains and servers located within the European Union. Users’ IP addresses are not logged and are automatically truncated by the last two digits. This truncation takes place on EU servers for EU users. Furthermore, all sensitive data collected from EU users is deleted before being processed through EU domains and servers.

  Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

  Legal Basis: Consent (Art. 6(1)(a) GDPR).

  Website: https://marketingplatform.google.com/intl/en/about/analytics/

  Privacy Policy: https://policies.google.com/privacy

  Data Processing Agreement: https://business.safety.google/adsprocessorterms/

  Standard Contractual Clauses: https://business.safety.google/adsprocessorterms

  Opt-Out: Google Analytics Opt-Out Browser Add-on: https://tools.google.com/dlpage/gaoptout; Ad Settings: https://adssettings.google.com

  Further Information: https://privacy.google.com/businesses/adsservices

• Google Tag Manager: Google Tag Manager is a solution that allows us to manage website tags through a centralized interface and integrate additional services into our online offering. Google Tag Manager itself does not create user profiles or store cookies. Google only receives the user’s IP address, which is necessary for the execution of Google Tag Manager.

  Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

  Legal Basis: Consent (Art. 6(1)(a) GDPR).

  Website: https://marketingplatform.google.com

  Privacy Policy: https://policies.google.com/privacy

Social Media Presence

We maintain online profiles within social networks and process user data in this context in order to communicate with users active on these platforms and to provide information about our services.

Please note that user data may be processed outside the European Union (EU). This may result in risks for users, as it could make it more difficult to enforce their rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles may be created based on usage behavior and resulting interests. These profiles may in turn be used to display advertisements within and outside the respective networks that are presumed to match users’ interests. For these purposes, cookies are typically stored on users’ devices, in which user behavior and interests are recorded. In addition, data may be stored within user profiles independently of the devices used by the users (particularly if users are members of the respective platforms and are logged in).

For detailed information about the respective processing activities and available objection options (opt-out), please refer to the privacy policies and information provided by the operators of the respective social networks.

In the case of requests for information and the exercise of data subject rights, we would also like to point out that these rights can most effectively be exercised directly with the providers. Only the providers have access to users’ data and can take appropriate measures and provide information directly. However, if you require assistance, you may contact us.

• Types of Data Processed: Contact Data (e.g., email addresses, telephone numbers); Content Data (e.g., entries in online forms); Usage Data (e.g., visited websites, interest in content, access times); Meta/Communication Data (e.g., device information, IP addresses).
• Categories of Data Subjects: Users (e.g., website visitors and users of online services).
• Purposes of Processing: Contact Requests and Communication; Feedback (e.g., collecting feedback via online forms); Marketing.
• Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).

Additional Information on Processing Activities, Procedures, and Services:

• Instagram: Social Network.

  Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

  Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).

  Website: https://www.instagram.com

  Privacy Policy: https://instagram.com/about/legal/privacy.

• Facebook Pages: Profiles within the Facebook social network.

  We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (“Fan Page”). This data includes information about the types of content users view or interact with, actions they take, and information about the devices they use (such as IP addresses, operating systems, browser types, language settings, and cookie data).

  As explained in Facebook’s Data Policy, Facebook also collects and uses information to provide analytics services (“Page Insights”) to page operators, enabling them to understand how users interact with their pages and associated content.

  We have entered into a special agreement with Facebook (“Page Insights Controller Addendum”), which specifies, among other things, the security measures Facebook must observe and confirms Facebook’s commitment to fulfilling data subject rights (e.g., users may submit access or deletion requests directly to Facebook).

  Users’ rights (including rights of access, deletion, objection, and complaint to a supervisory authority) are not restricted by these agreements.

  Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

  Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).

  Website: https://www.facebook.com

  Privacy Policy: https://www.facebook.com/about/privacy

  Standard Contractual Clauses: https://www.facebook.com/legal/EU_data_transfer_addendum

  Additional Information: Joint Controller Agreement: https://www.facebook.com/legal/terms/information_about_page_insights_data.

  The joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company established within the EU. Any further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, including transfers to its parent company, Meta Platforms, Inc., in the United States, based on Standard Contractual Clauses.

Online Marketing

We process personal data for online marketing purposes. This includes, in particular, the marketing of advertising space and the display of promotional and other content (collectively referred to as “Content”) based on users’ potential interests, as well as measuring the effectiveness of such content.

For these purposes, so-called user profiles are created and stored in files (known as “cookies”) or through similar technologies that store information relevant for displaying the aforementioned content. This information may include viewed content, visited websites, social networks used, communication partners, technical information such as browser type and operating system, as well as usage times and interactions. Where users have consented to the collection of location data, such data may also be processed.

Users’ IP addresses are also processed. However, we use available IP masking procedures (i.e., pseudonymization through IP truncation) to protect users. As a rule, no directly identifying information (such as names or email addresses) is stored within online marketing procedures. Instead, pseudonyms are used. This means that neither we nor the providers of the online marketing services know the actual identity of users, but only the information stored in their profiles.

The information contained in these profiles is generally stored in cookies or through similar technologies. These cookies may later be read by other websites using the same online marketing procedures and analyzed for content display purposes. They may also be combined with additional information and stored on the servers of the online marketing service providers.

In exceptional cases, personal data may be associated with these profiles. This may occur, for example, when users are members of a social network whose online marketing services we use and the network links user profiles with the information described above. Please note that users may enter into additional agreements directly with providers, such as by providing consent during registration.

As a rule, we only receive aggregated information about the success of our advertising campaigns. However, through conversion tracking, we can determine which of our online marketing measures led to a conversion (for example, a contract conclusion with us). Conversion tracking is used solely to analyze the effectiveness of our marketing activities.

Unless otherwise stated, cookies used for these purposes are stored for a period of up to two years.

Information on Legal Bases: Where we request user consent for the use of third-party services, the legal basis for processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., our interest in efficient, economical, and user-friendly services). In this context, please also refer to the information regarding the use of cookies contained in this Privacy Policy.

Types of Data Processed:

Facebook Event Data (“Event Data” refers to data that may be transmitted to Facebook via the Facebook Pixel or similar technologies and relates to individuals or their actions. This includes information such as website visits, interactions with content, use of functions, app installations, purchases, etc. Event Data is used to create target audiences (Custom Audiences) for content and advertising. Event Data does not include actual content such as comments, login credentials, or contact information such as names, email addresses, or telephone numbers. Facebook deletes Event Data after a maximum of two years, and audiences created from this data are deleted when our Facebook account is deleted).

Facebook Contact Information (“Contact Information” refers to personally identifiable information such as names, email addresses, and telephone numbers that may be transmitted to Facebook, for example via Facebook Pixel matching or uploaded for Custom Audience creation. After matching and audience creation, this information is deleted).

Usage Data (e.g., visited websites, interests in content, access times).

Meta/Communication Data (e.g., device information, IP addresses).

Categories of Data Subjects: Users (e.g., website visitors and users of online services).

Purposes of Processing: Remarketing; Audience Building; Conversion Tracking; Marketing; User Profiles.

Security Measures: IP Masking (Pseudonymization of IP Addresses).

Legal Bases: Consent (Art. 6(1)(a) GDPR); Legitimate Interests (Art. 6(1)(f) GDPR).

Right to Object (Opt-Out): We refer you to the privacy policies of the respective providers and the opt-out options specified by them. If no explicit opt-out option is provided, you may disable cookies through your browser settings. Please note that doing so may limit the functionality of our online services. We additionally recommend the following industry-wide opt-out options:

a) Europe: https://www.youronlinechoices.eu

b) Canada: https://www.youradchoices.ca/choices

c) United States: https://www.aboutads.info/choices

d) Cross-regional: https://optout.aboutads.info

Additional Information on Processing Activities, Procedures, and Services:

Google Ads and Conversion Tracking: We use the online advertising service “Google Ads” to place advertisements within Google’s advertising network (e.g., in search results, videos, and websites) so that they are displayed to users who are likely to be interested in them (so-called “conversions”).

We also measure the conversion performance of these advertisements. However, we only receive anonymous aggregated statistics regarding the number of users who clicked on our advertisements and were redirected to a page equipped with a conversion tracking tag. We do not receive any information that could personally identify individual users.

Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Website: https://marketingplatform.google.com

Privacy Policy: https://policies.google.com/privacy

Further Information:

Types of processing and categories of processed data:
https://privacy.google.com/businesses/adsservices

Google Advertising Products Data Processing Terms, including controller-to-controller data processing terms and Standard Contractual Clauses for international data transfers:
https://business.safety.google/adscontrollerterms

Plugins, Embedded Functions, and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “Third-Party Providers”). These may include, for example, graphics, videos, or maps (collectively referred to as “Content”).

The integration of such content always requires that the third-party providers process users’ IP addresses, as they would otherwise be unable to deliver the content to the users’ browsers. The IP address is therefore necessary for displaying these contents or functions. We make every effort to use only those contents whose respective providers use the IP address solely for delivering the content.

Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to analyze information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on users’ devices and may contain technical information about the browser and operating system, referring websites, visit times, and other details regarding the use of our online offering. Such information may also be linked with information obtained from other sources.

• Types of Data Processed: Usage Data (e.g., visited websites, interest in content, access times); Meta/Communication Data (e.g., device information, IP addresses); Location Data (information about the geographical position of a device or person).
• Categories of Data Subjects: Users (e.g., website visitors and users of online services).
• Purposes of Processing: Provision of our online services and user-friendliness; Marketing; User Profiling.
• Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).

Additional Information on Processing Activities, Procedures, and Services:

• Integration of Third-Party Software, Scripts, or Frameworks (e.g., jQuery):

  We integrate software into our online offering that is loaded from the servers of other providers (e.g., functional libraries used to improve the display and usability of our website). In doing so, the respective providers collect users’ IP addresses and may process them for the purpose of delivering the software to users’ browsers, ensuring security, and analyzing and optimizing their services.

  Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).

• Google Fonts (Hosted Locally):

  Fonts (“Google Fonts”) are used to ensure a user-friendly presentation of our online offering.

  Service Provider: Google Fonts are hosted on our own server; no data is transmitted to Google.

  Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).

• Google Maps:

  We integrate maps provided by the “Google Maps” service. Processed data may include users’ IP addresses and location data.

  Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland.

  Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).

  Website: https://mapsplatform.google.com/

  Privacy Policy: https://policies.google.com/privacy.

• Instagram Plugins and Content:

  This may include content such as images, videos, text, and buttons that allow users to share content from our online offering within Instagram.

  We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt (but not the further processing) of “Event Data” that Facebook collects through Instagram functions (e.g., embedded Instagram content) used on our website or receives through data transmission.

  This joint responsibility applies to the following purposes:

  a) Displaying content and advertising information that corresponds to users’ presumed interests;

  b) Delivering commercial and transactional communications (e.g., contacting users via Facebook Messenger);

  c) Improving ad delivery and personalization of functions and content.

  We have entered into a specific agreement with Facebook (“Controller Addendum”) that governs security obligations and Facebook’s responsibility for fulfilling data subject rights. Users may submit access requests, deletion requests, and other privacy-related requests directly to Facebook.

  Where Facebook provides us with aggregated measurement data, analytics, and reports that do not identify individual users, such processing takes place under a Data Processing Agreement and is not part of the joint controllership arrangement.

  Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

  Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).

  Website: https://www.instagram.com

  Privacy Policy: https://instagram.com/about/legal/privacy.

Changes and Updates to This Privacy Policy

We encourage you to review the contents of this Privacy Policy regularly.

We will update this Privacy Policy whenever changes to our data processing activities make such updates necessary. We will inform you whenever the changes require action on your part (e.g., consent) or any other form of individual notification.

Where we provide addresses and contact information of companies and organizations within this Privacy Policy, please note that these details may change over time. We therefore recommend verifying the information before making contact.

Rights of Data Subjects

As a data subject under the GDPR, you are entitled to various rights, particularly those arising from Articles 15 to 21 GDPR:

• Right to Object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, including profiling related to direct marketing.
• Right to Withdraw Consent: You have the right to withdraw any consent you have given at any time.
• Right of Access: You have the right to request confirmation as to whether personal data concerning you is being processed and to obtain access to that data, together with further information and a copy of the data in accordance with legal requirements.
• Right to Rectification: In accordance with legal requirements, you have the right to request the completion of incomplete personal data and the correction of inaccurate personal data concerning you.
• Right to Erasure and Restriction of Processing: In accordance with legal requirements, you have the right to request the immediate deletion of personal data concerning you or, alternatively, the restriction of its processing.
• Right to Data Portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to request that it be transferred to another controller.
• Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

Definitions

This section provides an overview of the terminology used in this Privacy Policy. Many of these terms are taken directly from legislation and are primarily defined in Article 4 of the GDPR. The legal definitions are binding. The explanations below are intended primarily to aid understanding. The terms are listed in alphabetical order.

• Firewall: A firewall is a security system designed to protect a computer network or an individual computer against unauthorized network access.
• Personal Data: “Personal Data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “Data Subject”). A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier (e.g., a cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
• User-Related Profiles: The processing of “user-related profiles,” or simply “profiles,” includes any form of automated processing of personal data consisting of the use of such personal data to evaluate, analyze, or predict certain personal aspects relating to a natural person. Depending on the type of profiling involved, this may include information relating to demographics, behavior, interests, interactions with websites and their content, and similar activities. Profiling is commonly carried out using cookies and web beacons.
• Reach Measurement (Web Analytics): Reach measurement, also known as web analytics, is used to evaluate visitor traffic to an online service and may include information regarding visitor behavior or interests in specific content, such as website pages. Through reach analysis, website operators can determine, for example, when visitors access their website and which content attracts the most interest. This enables them to better tailor website content to users’ needs. Pseudonymous cookies and web beacons are often used for this purpose to recognize returning visitors and obtain more accurate analyses of online service usage.
• Server Monitoring and Error Detection: Through server monitoring and error detection, we ensure the availability and integrity of our online services and use the processed data to optimize our online offering from a technical perspective. This includes processing performance metrics, load statistics, and comparable technical information that provide insight into the stability of our systems and any irregularities. In the event of errors or anomalies, individual user requests may be recorded in order to identify and resolve technical issues.
• Location Data: Location data is generated when a mobile device (or another device equipped with location-determination technology) connects to a cellular network, Wi-Fi network, or similar technical systems capable of determining location. Location data indicates the geographically identifiable position of the device on Earth. Such data may be used, for example, to provide map functions or other location-based services.
• Controller: The “Controller” is the natural or legal person, public authority, agency, or other body that alone or jointly with others determines the purposes and means of processing personal data.
• Processing: “Processing” means any operation or set of operations performed on personal data, whether or not by automated means. The term is intentionally broad and covers virtually any handling of data, including collection, analysis, storage, transmission, disclosure, or deletion.