Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offering”).

The terms used are not gender-specific.

Last updated: February 9, 2026

Table of Contents

• Preamble
• Controller
• Overview of Processing Operations
• Relevant Legal Bases
• Security Measures
• Transmission of Personal Data
• International Data Transfers
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Provision of Online Offering and Web Hosting
• Use of Cookies
• Contact and Inquiry Management
• Communication via Messenger Services
• Online Marketing
• Customer Reviews and Rating Procedures
• Social Media Presence
• Processing of Data in Employment Relationships
• Changes and Updates
• Definitions of Terms

Controller

Andreas Erb – Espressomaschinisten
Bajuwarenstraße 59
81825 Munich
Germany

Email address: info@espressomaschinisten.de

Imprint: https://espressomaschinisten.de/impressum/

Overview of Processing Operations

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed

• Inventory data
• Employee data
• Payment data
• Contact data
• Content data
• Contract data
• Usage data
• Meta, communication, and procedural data
• Social data
• Image and/or video recordings
• Log data
• Performance and behavioral data
• Working time data
• Salary data

Special Categories of Data

• Health data
• Religious or philosophical beliefs
• Trade union membership

Categories of Data Subjects

• Service recipients and clients
• Employees
• Communication partners
• Users

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations
• Communication
• Security measures
• Direct marketing
• Reach measurement
• Tracking
• Office and organizational procedures
• Conversion measurement
• Audience building
• Organizational and administrative procedures
• Feedback
• Marketing
• Profiles with user-related information
• Provision of our online offering and user-friendliness
• Establishment and execution of employment relationships
• Information technology infrastructure
• Public relations
• Business processes and business management procedures

Relevant Legal Bases

Relevant legal bases according to GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. If more specific legal bases are relevant in individual cases, we will inform you of these in this privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
• Processing of special categories of personal data in relation to health, profession, and social security (Art. 9 para. 2 lit. h GDPR) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated individual decision-making, including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Note on applicability of GDPR and Swiss DPA: This privacy notice serves both to provide information under the Swiss Data Protection Act (DPA) and the General Data Protection Regulation (GDPR). For this reason, we ask you to note that due to the broader spatial application and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms used in the Swiss DPA “processing” of “personal data”, “overriding interest” and “particularly sensitive personal data”, the terms used in the GDPR “processing” of “personal data” as well as “legitimate interest” and “special categories of data” are used. However, the legal meaning of the terms will continue to be determined in accordance with the Swiss DPA within the scope of its applicability.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

Measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access to, input of, disclosure of, ensuring availability of, and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, deletion of data, and responses to data threats. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software, and procedures in accordance with the principle of data protection through technology design and through data protection-friendly default settings.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect users’ data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more developed and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and encrypted.

Transmission of Personal Data

In the course of our processing of personal data, this data may be transmitted to or disclosed to other entities, companies, legally independent organizational units, or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and in particular conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

International Data Transfers

Data processing in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure or transmission of data to other persons, entities, or companies (which becomes evident from the postal address of the respective provider or if the data transfer to third countries is expressly mentioned in the privacy policy), this is always done in accordance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a safe legal framework by an adequacy decision of the EU Commission dated July 10, 2023. Additionally, we have concluded standard contractual clauses with the respective providers that comply with the requirements of the EU Commission and establish contractual obligations to protect your data.

This dual safeguarding ensures comprehensive protection of your data: The DPF forms the primary level of protection, while the standard contractual clauses serve as additional security. Should changes arise within the framework of the DPF, the standard contractual clauses will serve as a reliable fallback option. In this way, we ensure that your data remains adequately protected even in the event of any political or legal changes.

For the individual service providers, we inform you whether they are certified under the DPF and whether standard contractual clauses exist. Further information on the DPF and a list of certified companies can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, corresponding security measures apply, in particular standard contractual clauses, explicit consent, or legally required transfers. Information on third country transfers and applicable adequacy decisions can be found in the EU Commission’s information offer: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal regulations as soon as the underlying consents are revoked or there are no other legal bases for processing. This concerns cases in which the original processing purpose no longer applies or the data is no longer needed. Exceptions to this rule exist if legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal prosecution or for the protection of the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that specifically applies to certain processing operations.

If multiple indications are given regarding the retention period or deletion deadlines for a date, the longest period always applies. Data that is no longer retained for the originally intended purpose but due to legal requirements or other reasons is processed exclusively for the reasons that justify its retention.

Retention and deletion of data: The following general deadlines apply for retention and archiving under German law:

• 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheet, as well as the work instructions and other organizational documents required for their understanding (§ 147 para. 1 no. 1 in conjunction with para. 3 AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 in conjunction with para. 4 HGB).
• 8 years – Accounting documents, such as invoices and cost documents (§ 147 para. 1 no. 4 and 4a in conjunction with para. 3 sentence 1 AO and § 257 para. 1 no. 4 in conjunction with para. 4 HGB).
• 6 years – Other business documents: received commercial or business letters, reproductions of sent commercial or business letters, other documents to the extent they are relevant for taxation, e.g., hourly wage slips, operating accounting sheets, calculation documents, price labels, but also payroll documents if they are not already accounting documents and cash register receipts (§ 147 para. 1 no. 2, 3, 5 in conjunction with para. 3 AO, § 257 para. 1 no. 2 and 3 in conjunction with para. 4 HGB).
• 3 years – Data required to consider potential warranty and compensation claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experience and customary industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Start of period at the end of the year: If a period does not expressly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the period-triggering event occurred. In the case of ongoing contractual relationships within which data is stored, the period-triggering event is the time at which the termination or other termination of the legal relationship becomes effective.

Rights of Data Subjects

Rights of data subjects under the GDPR: As data subjects under the GDPR, you have various rights, which arise in particular from Articles 15 to 21 GDPR:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw consent at any time.
• Right of access: You have the right to obtain confirmation as to whether personal data concerning you is being processed and to obtain information about this data and further information and a copy of the data in accordance with legal requirements.
• Right to rectification: You have the right in accordance with legal requirements to request the completion of data concerning you or the correction of incorrect data concerning you.
• Right to erasure and restriction of processing: You have the right in accordance with legal requirements to request that data concerning you be erased immediately, or alternatively to request restriction of the processing of the data in accordance with legal requirements.
• Right to data portability: You have the right to receive personal data concerning you which you have provided to us in a structured, commonly used, and machine-readable format in accordance with legal requirements, or to request its transmission to another controller.
• Complaint to supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State of your habitual residence, the supervisory authority of your place of work, or the place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR.

Provision of Online Offering and Web Hosting

We process users’ data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or end device.

• Types of data processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, persons involved); log data (e.g., log files concerning logins or the retrieval of data or access times).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); security measures; provision of contractual services and fulfillment of contractual obligations.
• Retention and deletion: Deletion in accordance with information in the section “General Information on Data Storage and Deletion”.
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

• Provision of online offering on rented storage space: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also called “web host”); Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files”. The server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), and as a rule IP addresses and the requesting provider. The server log files can be used for security purposes, e.g., to avoid server overload (particularly in the case of abusive attacks, so-called DDoS attacks), and on the other hand to ensure server utilization and stability; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidence purposes is excluded from deletion until the final clarification of the respective incident.
• 1&1 IONOS: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://www.ionos.de; Privacy policy: https://www.ionos.de/terms-gtc/terms-privacy. Data processing agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/vereinbarung-zur-auftragsverarbeitung-avv-mit-ionos-abschliessen/.
• Yoast SEO: Website optimization for search engines; Service provider: Yoast B.V., Don Emanuelstraat 3, 6602 GX Wijchen, Netherlands; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://yoast.com/; Privacy policy: https://www.newfold.com/privacy-center?currencyCode=EUR&langPref=de. Additional information: Operation within own hosting environment.
• Classic Editor: Activates the classic WordPress editor with TinyMCE, meta boxes, and the old-style edit view. Allows the use of older plugins that extend this view; Service provider: org / Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA; Website: https://wordpress.org/plugins/classic-editor/. Privacy policy: https://automattic.com/privacy/.
• Fluent Forms: Advanced contact form plugin with drag-and-drop builder and multi-column support. Enables easy creation and management of forms; Service provider: WPManageNinja LLC, 2035 Sunset Lake Road Suite B-2, Newark, DE 19702, USA; Website: https://fluentforms.com/. Privacy policy: https://wpmanageninja.com/privacy-policy/.
• FluentSMTP: SMTP connection plugin for reliable email delivery from WordPress. Supports various SMTP services and APIs; Service provider: WPManageNinja LLC, 2035 Sunset Lake Road Suite B-2, Newark, DE 19702, USA; Website: https://fluentsmtp.com/. Privacy policy: https://wpmanageninja.com/privacy-policy/.
• Friendly Captcha for WordPress: Protects forms from spam and abuse using a GDPR-compliant, privacy-friendly captcha system; Service provider: Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany; Website: https://friendlycaptcha.com/. Privacy policy: https://friendlycaptcha.com/de/legal/privacy-end-users/.
• Real Cookie Banner (Free): Enables GDPR and ePrivacy-compliant use of a cookie consent banner including management of legal information about cookies; Service provider: io GmbH, Tannet 12, 94539 Grafling, Germany; Website: https://devowl.io/. Privacy policy: https://devowl.io/privacy-policy/.
• WP 2FA — Two-Factor Authentication for WordPress: Increases the security of WordPress logins by activating two-factor authentication; Service provider: MELAPRESS Ltd, St. Julian’s Business Centre, Elia Zammit Street, St. Julian’s STJ 3155, Malta; Website: https://melapress.com/wordpress-2fa-plugin/. Privacy policy: https://melapress.com/privacy-policy/.
• WP VR: Plugin for creating 360° panorama views and virtual tours directly in WordPress; Service provider: Rextheme Ltd., House 124, Road 05, Avenue 02, Mirpur DOHS, Dhaka 1216, Bangladesh; Website: https://rextheme.com/wpvr/. Privacy policy: https://rextheme.com/privacy-policy/.
• WPBakery Page Builder: Visual drag-and-drop page editor for WordPress to create custom layouts without programming knowledge; Service provider: WPBakery (Composium Inc.), Riga, Latvia; Website: https://wpbakery.com/. Privacy policy: https://wpbakery.com/privacy-policy/.
• Yoast Duplicate Post: Enables copying, editing, and republishing of posts and pages; Service provider: Yoast BV, Don Emanuelstraat 3, 6602 GX Wijchen, Netherlands; Website: https://yoast.com/wordpress/plugins/duplicate-post/. Privacy policy: https://yoast.com/privacy-policy/.

Use of Cookies

The term “cookies” refers to functions that store and read information on users’ end devices. Cookies can also be used for different purposes, such as ensuring functionality, security, and convenience of online offerings, as well as creating analyses of visitor flows. We use cookies in accordance with legal regulations. For this purpose, we obtain the prior consent of users when required. If consent is not necessary, we rely on our legitimate interests. This applies if storing and reading information is essential to provide expressly requested content and functions. This includes, for example, the storage of settings and ensuring the functionality and security of our online offering. Consent can be withdrawn at any time. We clearly inform about its scope and which cookies are used.

Notes on legal bases for data protection: Whether we process personal data using cookies depends on consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Storage duration: With regard to storage duration, the following types of cookies are distinguished:

• Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their end device (e.g., browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved and preferred content can be displayed directly when the user revisits a website. The user data collected using cookies can also be used for reach measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g., when obtaining consent), users should assume that they are permanent and that the storage duration can be up to two years.

General information on revocation and objection (opt-out): Users can revoke consents they have given at any time and also object to processing in accordance with legal requirements, including through the privacy settings of their browser.

• Types of data processed: Meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, persons involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Further information on processing operations, procedures, and services:

• Processing of cookie data based on consent: We use a consent management solution in which users’ consent to the use of cookies or to the procedures and providers mentioned in the consent management solution is obtained. This procedure serves to obtain, log, manage, and revoke consents, particularly with regard to the use of cookies and similar technologies that are used to store, read, and process information on users’ end devices. Within the framework of this procedure, users’ consents for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management procedure, are obtained. Users also have the option to manage and revoke their consents. The consent declarations are stored to avoid repeated queries and to be able to provide proof of consent in accordance with legal requirements. Storage takes place server-side and/or in a cookie (so-called opt-in cookie) or using comparable technologies in order to be able to assign consent to a specific user or their device. Unless specific information about the providers of consent management services is available, the following general notes apply: The duration of consent storage is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, information about the scope of consent (e.g., relevant categories of cookies and/or service providers), as well as information about the browser, system, and end device used; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, telephone, or via social media) and in the context of existing user and business relationships, the information provided by inquiring persons is processed to the extent necessary to respond to contact inquiries and any requested measures.

• Types of data processed: Contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., text or image messages and posts and information relating to them, such as information on authorship or time of creation); meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, persons involved).
• Data subjects: Communication partners.
• Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online form); provision of our online offering and user-friendliness.
• Retention and deletion: Deletion in accordance with information in the section “General Information on Data Storage and Deletion”.
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR).

Further information on processing operations, procedures, and services:

• Contact form: When contacting us via our contact form, email, or other communication channels, we process the personal data transmitted to us to respond to and process the respective inquiry. This typically includes information such as name, contact information, and if applicable, additional information provided to us that is necessary for appropriate processing. We use this data exclusively for the stated purpose of contact and communication; Legal bases: Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Communication via Messenger Services

We use messenger services for communication purposes and therefore ask you to observe the following notes on the functionality of messenger services, encryption, use of communication metadata, and your objection options.

You can also contact us by alternative means, e.g., by telephone or email. Please use the contact options communicated to you or the contact options provided within our online offering.

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we point out that the communication content (i.e., the content of the message and attached images) is encrypted from end to end. This means that the content of messages cannot be viewed, not even by the messenger service providers themselves. You should always use a current version of the messenger with encryption activated to ensure encryption of message content.

However, we also point out to our communication partners that although the messenger service providers cannot view the content, they can find out that and when communication partners communicate with us, as well as technical information about the device used by communication partners and, depending on the settings of their device, location information (so-called metadata).

Notes on legal bases: If we ask communication partners for permission before communicating with them via messenger services, the legal basis for our processing of their data is their consent. Otherwise, if we do not ask for consent and they contact us, for example, we use messenger services in relation to our contractual partners and in the context of contract initiation as a contractual measure and in the case of other interested parties and communication partners based on our legitimate interests in fast and efficient communication and meeting the needs of our communication partners for communication via messenger services. Furthermore, we point out that we do not transmit the contact data communicated to us to the messenger services for the first time without your consent.

Revocation, objection, and deletion: You can revoke consent you have given at any time and object to communication with us via messenger services at any time. In the case of communication via messenger services, we delete messages in accordance with our general deletion guidelines (i.e., for example, as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that we have answered any inquiries from communication partners, if no reference back to a previous conversation is to be expected and deletion is not prevented by legal retention obligations.

Reservation of reference to other communication channels: To ensure your security, we ask for your understanding that we may not be able to answer inquiries via messenger services for certain reasons. This applies to situations in which, for example, contract details must be treated as particularly confidential or an answer via messenger services does not meet formal requirements. In these cases, we recommend that you use more appropriate communication channels.

• Types of data processed: Contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., text or image messages and posts and information relating to them, such as information on authorship or time of creation); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, persons involved).
• Data subjects: Communication partners.
• Purposes of processing: Communication; direct marketing (e.g., by email or post).
• Retention and deletion: Deletion in accordance with information in the section “General Information on Data Storage and Deletion”.
• Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR); performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

• Signal: Signal messenger with end-to-end encryption; Service provider: Privacy Signal Messenger, LLC 650 Castro Street, Suite 120-223 Mountain View, CA 94041, USA; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://signal.org/de/. Privacy policy: https://signal.org/legal/.
• WhatsApp: A communication service that enables sending and receiving text messages, voice messages, images, videos, documents, as well as voice and video calls via the Internet. Communication takes place via end-to-end encryption, whereby content is only accessible to the communication partners involved. To provide the service, the platform processes metadata (e.g., phone numbers, times, device information) and may use this to improve functionality, security, and service optimization; Service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://www.whatsapp.com/; Privacy policy: https://www.whatsapp.com/legal/privacy-policy-eea. Basis for third country transfers: Data Privacy Framework (DPF).

Online Marketing

We process personal data for the purposes of online marketing, which may include in particular the marketing of advertising space or the display of advertising and other content (collectively referred to as “content”) based on potential interests of users as well as measuring their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (the so-called “cookie”) or similar procedures are used, by means of which the information relevant to the display of the aforementioned content about the user is stored. This information may include, for example, content viewed, websites visited, online networks used, but also communication partners and technical information such as the browser used, the computer system used, and information on usage times and functions used. If users have consented to the collection of their location data, this may also be processed.

The users’ IP addresses are also stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) is stored in the online marketing process, but pseudonyms. This means that we as well as the providers of online marketing procedures do not know the actual user identity, but only the information stored in their profiles.

The statements in the profiles are generally stored in cookies or by means of similar procedures. These cookies can generally also be read later on other websites that use the same online marketing procedure and analyzed for the purpose of displaying content as well as supplemented with additional data and stored on the server of the online marketing procedure provider.

Exceptionally, clear data can be assigned to the profiles, primarily if users are members of a social network whose online marketing procedure we use and the network links user profiles with the aforementioned information. We ask you to note that users can enter into additional agreements with the providers, for example by giving consent during registration.

We generally only receive access to summarized information about the success of our advertisements. However, in the context of so-called conversion measurements, we can check which of our online marketing procedures led to a so-called conversion, i.e., for example, to a contract with us. Conversion measurement is used solely for success analysis of our marketing measures.

Unless otherwise stated, we ask you to assume that cookies used are stored for a period of two years.

Notes on legal bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

Notes on revocation and objection:

We refer to the privacy notices of the respective providers and the objection options (so-called “opt-out”) stated for the providers. If no explicit opt-out option has been specified, on the one hand there is the option for you to deactivate cookies in your browser settings. However, this may restrict functions of our online offering. We therefore additionally recommend the following opt-out options, which are offered collectively for respective territories:

1. a) Europe: https://www.youronlinechoices.eu.
2. b) Canada: https://youradchoices.ca/.
3. c) USA: https://optout.aboutads.info/.
4. d) Cross-territorial: https://optout.aboutads.info.

• Types of data processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, persons involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors); tracking (e.g., interest/behavior-based profiling, use of cookies); audience building; marketing; profiles with user-related information (creation of user profiles); conversion measurement (measurement of the effectiveness of marketing measures).
• Retention and deletion: Deletion in accordance with information in the section “General Information on Data Storage and Deletion”. Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods can be stored on users’ devices for a period of two years).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

• Google Ads and conversion measurement: Online marketing procedure for the purpose of placing content and advertisements within the service provider’s advertising network (e.g., in search results, in videos, on websites, etc.) so that they are displayed to users who have a presumed interest in the advertisements. Furthermore, we measure the conversion of advertisements, i.e., whether users have taken them as an opportunity to interact with the advertisements and use the advertised offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Basis for third country transfers: Data Privacy Framework (DPF); Additional information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for third country data transfers: https://business.safety.google/adscontrollerterms.

Customer Reviews and Rating Procedures

We participate in review and rating procedures to evaluate, optimize, and promote our services. When users rate us or otherwise provide feedback via the participating rating platforms or procedures, the general terms and conditions or terms of use and privacy notices of the providers also apply. As a rule, rating also requires registration with the respective providers.

To ensure that the rating persons have actually used our services, we transmit the data required for this purpose with the consent of customers with regard to the customer and the service used to the respective rating platform (including name, email address, and order number or article number). This data is used solely to verify the authenticity of the user.

• Types of data processed: Contract data (e.g., subject matter of contract, term, customer category); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, persons involved).
• Data subjects: Service recipients and clients; users (e.g., website visitors, users of online services).
• Purposes of processing: Feedback (e.g., collecting feedback via online form); marketing.
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

• Google customer reviews: Service for obtaining and/or displaying customer satisfaction and customer opinions; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://www.google.com/; Privacy policy: https://policies.google.com/privacy; Basis for third country transfers: Data Privacy Framework (DPF); Additional information: In the context of obtaining customer reviews, an identification number and the time for the business transaction to be rated, in the case of review requests sent directly to customers, the customer’s email address, and their indication of the country of residence, as well as the review information itself are processed; Further information on the types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on services Data processing terms between controllers and standard contractual clauses for third country data transfers: https://business.safety.google/adscontrollerterms.

Social Media Presence

We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to offer information about us.

We point out that user data may be processed outside the territory of the European Union. This may result in risks for users because, for example, the enforcement of user rights could be made more difficult.

Furthermore, users’ data within social networks is generally processed for market research and advertising purposes. For example, usage profiles can be created based on users’ usage behavior and resulting interests. The usage profiles may in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to users’ interests. For this purpose, cookies are generally stored on users’ computers, in which users’ usage behavior and interests are stored. Furthermore, data can also be stored in the usage profiles independently of the devices used by users (particularly if they are members of the respective platforms and logged in there).

For a detailed description of the respective forms of processing and objection options (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

Also in the case of requests for information and the assertion of data subject rights, we point out that these can be asserted most effectively with the providers. Only the latter have access to users’ data in each case and can take appropriate measures directly and provide information. If you still need help, you can contact us.

• Types of data processed: Contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., text or image messages and posts and information relating to them, such as information on authorship or time of creation); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Communication; feedback (e.g., collecting feedback via online form); public relations.
• Retention and deletion: Deletion in accordance with information in the section “General Information on Data Storage and Deletion”.
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Processing of Data in Employment Relationships

In the context of employment relationships, personal data is processed with the aim of effectively managing the establishment, execution, and termination of such relationships. This data processing supports various operational and administrative functions required for managing employee relationships.

In doing so, data processing encompasses various aspects ranging from contract initiation to contract termination. This includes the organization and administration of daily working hours, the management of access rights and authorizations, as well as the handling of personnel development measures and employee discussions. Processing also serves for accounting and the management of wage and salary payments, which represent critical aspects of contract execution.

In addition, data processing takes into account legitimate interests of the responsible employer, such as ensuring safety in the workplace or recording performance data for evaluating and optimizing operational processes. Furthermore, data processing includes the disclosure of employee data in the context of external communication and publication processes, where this is necessary for operational or legal purposes.

The processing of this data always takes place in compliance with the applicable legal framework, whereby the goal is always the creation and maintenance of a fair and efficient working environment. This also includes consideration of the data protection of the employees concerned, the anonymization or deletion of data after fulfillment of the processing purpose or in accordance with statutory retention periods.

• Types of data processed: Employee data (information on employees and other persons in an employment relationship); payment data (e.g., bank details, invoices, payment history); contract data (e.g., subject matter of contract, term, customer category); inventory data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., text or image messages and posts and information relating to them, such as information on authorship or time of creation); social data (data subject to social secrecy and processed, for example, by social insurance carriers, social welfare agencies, or pension authorities); log data (e.g., log files concerning logins or the retrieval of data or access times); performance and behavioral data (e.g., performance and behavioral aspects such as performance evaluations, feedback from supervisors, training participation, compliance with company policies, self-assessments, and behavioral assessments); working time data (e.g., start of working time, end of working time, actual working time, target working time, break times, overtime, vacation days, special leave days, sick days, absences, home office days, business trips); salary data (e.g., basic salary, bonus payments, premiums, tax class information, surcharges for night work/overtime, tax deductions, social security contributions, net payment amount); image and/or video recordings (e.g., photographs or video recordings of a person); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, persons involved).
• Special categories of personal data: Health data; religious or philosophical beliefs; trade union membership.
• Data subjects: Employees (e.g., employees, applicants, temporary staff, and other workers).
• Purposes of processing: Establishment and execution of employment relationships (processing of employee data in the context of establishing and executing employment relationships); business processes and business management procedures; provision of contractual services and fulfillment of contractual obligations; public relations; security measures; office and organizational procedures.
• Legal bases: Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR); legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); processing of special categories of personal data in relation to health, profession, and social security (Art. 9 para. 2 lit. h GDPR).

Further information on processing operations, procedures, and services:

• Working time recording: Procedures for recording employees’ working hours include both manual and automated methods, such as the use of time clocks, time recording software, or mobile apps. Activities such as entering arrival and departure times, break times, overtime, and absences are carried out. For verification and validation of recorded working times, comparison with deployment or shift schedules, verification of absences, and approval of overtime by supervisors are included. Reports and analyses are prepared based on recorded working times to provide working time records, overtime reports, and absence statistics for management and the human resources department; Legal bases: Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• Authorization management: Procedures required for defining, managing, and controlling access rights and user roles within a system or organization (e.g., creating authorization profiles, role and access-based control, review and approval of access requests, regular review of access rights, tracking and auditing of user activities, creation of security policies and procedures); Legal bases: Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• Special categories of personal data: Special categories of personal data are processed in the context of the employment relationship or to fulfill legal obligations. The special categories of personal data processed include data concerning health, trade union membership, or religious affiliation of employees. This data may be passed on to health insurance companies or processed to assess the working capacity of employees or for occupational health management or for information to the tax office; Legal bases: Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• Sources of processed data: Personal data is processed that was received in the context of the application and/or employment relationship of employees. In addition, if legally required, personal data is collected from other sources. These may include financial authorities for tax-relevant information, the respective health insurance company for information about incapacity for work, third parties such as employment agencies, or publicly available sources such as professional social networks in the context of application procedures; Legal bases: Legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• Purposes of data processing: The personal data of employees is primarily processed to establish, execute, and terminate the employment relationship. Furthermore, the processing of this data is necessary to fulfill legal obligations in the areas of tax and social insurance law. In addition to these primary purposes, employees’ data is also used to fulfill regulatory and supervisory requirements, to optimize electronic data processing processes, and to compile internal or cross-company data, possibly including statistical data. Furthermore, employees’ data may be processed for the assertion of legal claims and for defense in legal disputes; Legal bases: Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• Transmission of employee data: Employees’ data is processed internally only by those departments that need this data to fulfill operational, contractual, and legal obligations.
  The disclosure of data to external recipients only takes place if this is legally required or if the employees concerned have given their consent. Possible scenarios for this may be requests for information from authorities or in the presence of capital formation benefits. Furthermore, the controller may forward personal data to other recipients to the extent necessary to fulfill its contractual and legal obligations as an employer. These recipients may include: a) Banks b) Health insurance companies, pension insurance carriers, old-age provision carriers, and other social insurance carriers c) Authorities, courts (e.g., tax authorities, labor courts, other supervisory authorities in the context of fulfilling reporting and disclosure obligations) d) Tax and legal advisors e) Third-party debtors in the case of wage and salary garnishments f) Other bodies to which legally mandatory declarations must be made.
  In addition, data may be passed on to third parties if this is necessary for communication with business partners, suppliers, or other service providers. Examples of this are information in the sender area of emails or letterheads as well as the creation of profiles on external platforms; Legal bases: Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• Transmission of employee data to third countries: The transmission of employee data to third countries, i.e., countries outside the European Union (EU) and the European Economic Area (EEA), only takes place if this is necessary for the fulfillment of the employment relationship, is legally required, or if employees have given their consent. Employees are informed separately about the details where legally required; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• Business travel and travel expense accounting: Procedures required for planning, executing, and accounting for business trips (e.g., booking travel, organizing accommodation and means of transport, managing travel expense advances, submitting and reviewing travel expense reports, controlling and posting incurred costs, compliance with travel policies, processing travel expense management); Legal bases: Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• Remuneration accounting and payroll accounting: Procedures required for calculating, paying, and documenting wages, salaries, and other remuneration of employees (e.g., recording working times, calculating deductions and allowances, payment of taxes and social insurance contributions, preparation of wage and salary statements, maintenance of payroll accounts, reporting to tax offices and social insurance carriers); Legal bases: Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR).
• Deletion of employee data: Employee data is deleted under German law when it is no longer required for the purpose for which it was collected, unless it must be retained or archived due to legal obligations or due to the employer’s interests. The following retention and archiving obligations are observed:
  • General personnel documents – General personnel documents (such as employment contract, work reference, supplementary agreements) are retained for up to three years after termination of the employment relationship (§ 195 BGB).
    Tax-relevant documents – Tax-relevant documents in the personnel file are retained for six years (§ 147 AO, § 257 HGB).
    Information on work remuneration and working hours – Information on work remuneration and working hours for (accident) insured persons with wage evidence is retained for five years (§ 165 I 1, IV 2 SGB VII).
  • Salary lists including lists for special payments – Salary lists including lists for special payments, if an accounting document is available, are retained for ten years (§ 147 AO, § 257 HGB).
  • Wage lists for interim, final, and special payments – Wage lists for interim, final, and special payments are retained for six years (§ 147 AO, § 257 HGB).
  • Documents on employee insurance – Documents on employee insurance, if accounting documents are available, are retained for ten years (§ 147 AO, § 257 HGB).
  • Contribution statements to social insurance carriers – Contribution statements to social insurance carriers are retained for ten years (§ 165 SGB VII).
    Payroll accounts – Payroll accounts are retained for six years (§ 41 I 9 EStG).
  • Applicant data – Retained for a maximum of six months from receipt of rejection.
  • Working time records (for more than 8 hours on working days) – Retained for two years (§ 16 II Working Time Act (ArbZG)).
  • Application documents (after online job advertisement) – Retained for three to a maximum of six months after receipt of rejection (§ 26 Federal Data Protection Act (BDSG) n.F., § 15 IV General Equal Treatment Act (AGG)).
  • Certificates of incapacity for work (AU) – Retained for up to five years (§ 6 I Compensation of Expenses Act (AAG)).
  • Documents on occupational pension provision – Retained for 30 years (§ 18a Act to Improve Occupational Pension Provision (BetrAVG)).
  • Health data of employees – Retained for twelve months after the start of illness if absences in one year do not exceed six weeks.
  • Maternity protection documents – Retained for two years (§ 27 para. 5 MuSchG).

Legal bases: Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), processing of special categories of personal data in relation to health, profession, and social security (Art. 9 para. 2 lit. h GDPR).

• Personnel file management: Procedures required for organizing, updating, and managing employee data and documents (e.g., recording personnel master data, storing employment contracts, certificates, and attestations, updating data when changes occur, compiling documents for employee discussions, archiving personnel files, compliance with data protection regulations); Legal bases: Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), processing of special categories of personal data in relation to health, profession, and social security (Art. 9 para. 2 lit. h GDPR).
• Personnel development, performance evaluation, and employee discussions: Procedures required in the area of promoting and developing employees as well as evaluating their performance and in the context of employee discussions (e.g., needs analysis for further training, planning and implementation of training measures, preparation of performance evaluations, conducting target agreement and feedback discussions, career planning and talent management, succession planning); Legal bases: Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), processing of special categories of personal data in relation to health, profession, and social security (Art. 9 para. 2 lit. h GDPR).
• Obligation to provide data: The controller informs employees that the provision of their data is required. This is generally the case if the data is necessary for establishing and executing the employment relationship or if its collection is legally required. The provision of data may also be required if employees assert claims or claims are due to employees. The implementation of these measures or fulfillment of services depends on the provision of this data (for example, providing data for the purpose of receiving wages); Legal bases: Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• Publication and disclosure of employees’ data: Employees’ data is only published or disclosed to third parties if this is necessary to perform work tasks in accordance with the employment contract. This applies, for example, if employees are named as contact persons in correspondence, on the website, or in public registers after consultation or agreed job description, or if the job description includes representative functions. This may also be the case if representation or communication with the public takes place in the context of performing tasks, such as image recordings in the context of public relations. Otherwise, publication of employees’ data only takes place with their consent or on the basis of legitimate interests of the employer, for example in the case of stage or group image recordings in the context of a public event; Legal bases: Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Changes and Updates

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes in the data processing we carry out make this necessary. We will inform you as soon as the changes require your cooperation (e.g., consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time and please check the information before contacting them.

Definitions of Terms

This section provides you with an overview of the terminology used in this privacy policy. Where terms are legally defined, their legal definitions apply. The following explanations, on the other hand, are primarily intended to aid understanding.

• Employees: Employees are persons who are in an employment relationship, whether as workers, employees, or in similar positions. An employment relationship is a legal relationship between an employer and an employee that is established by an employment contract or agreement. It includes the employer’s obligation to pay remuneration to the employee while the employee provides their work performance. The employment relationship encompasses various phases, including establishment, in which the employment contract is concluded, execution, in which the employee carries out their work activity, and termination, when the employment relationship ends, whether through dismissal, termination agreement, or otherwise. Employee data is all information relating to these persons and in the context of their employment. This includes aspects such as personal identification data, identification numbers, salary and bank data, working times, vacation entitlements, health data, and performance evaluations.
• Inventory data: Inventory data includes essential information necessary for the identification and management of contractual partners, user accounts, profiles, and similar assignments. This data may include personal and demographic information such as names, contact information (addresses, telephone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between persons and services, facilities, or systems by enabling clear assignment and communication.
• Content data: Content data includes information generated in the course of creating, editing, and publishing content of all kinds. This category of data may include texts, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited to the actual content but also includes metadata that provides information about the content itself, such as tags, descriptions, author information, and publication dates.
• Contact data: Contact data is essential information that enables communication with persons or organizations. It includes telephone numbers, postal addresses, and email addresses, as well as means of communication such as social media handles and instant messaging identifiers.
• Conversion measurement: Conversion measurement (also referred to as “visitor action evaluation”) is a method that can be used to determine the effectiveness of marketing measures. For this purpose, a cookie is usually stored on users’ devices within the websites where the marketing measures take place and then retrieved again on the target website. For example, we can track whether the advertisements we placed on other websites were successful.
• Performance and behavioral data: Performance and behavioral data refers to information related to how people accomplish tasks or behave in a particular context, such as in an educational, work, or social environment. This data may include metrics such as productivity, efficiency, work quality, attendance, and compliance with guidelines or procedures. Behavioral data could include interactions with colleagues, communication styles, decision-making processes, and responses to various situations. These types of data are often used for performance evaluations, training and development measures, and decision-making within organizations.
• Meta, communication, and procedural data: Meta, communication, and procedural data are categories that contain information about how data is processed, transmitted, and managed. Meta-data, also known as data about data, includes information describing the context, origin, and structure of other data. They may include information on file size, creation date, author of a document, and revision histories. Communication data captures the exchange of information between users through various channels, such as email traffic, call logs, messages on social networks, and chat histories, including the persons involved, timestamps, and transmission paths. Procedural data describes the processes and procedures within systems or organizations, including workflow documentation, logs of transactions and activities, as well as audit logs used to track and review operations.
• Usage data: Usage data refers to information that captures how users interact with digital products, services, or platforms. This data encompasses a wide range of information showing how users use applications, which features they prefer, how long they stay on certain pages, and through which paths they navigate through an application. Usage data may also include frequency of use, timestamps of activities, IP addresses, device information, and location data. They are particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. Furthermore, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.
• Personal data: “Personal data” means all information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Profiles with user-related information: The processing of “profiles with user-related information”, or “profiles” for short, includes any kind of automated processing of personal data that consists of using this personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information concerning demographics, behavior, and interests, such as interaction with websites and their content, etc.). Cookies and web beacons are frequently used for profiling purposes.
• Log data: Log data is information about events or activities that have been logged in a system or network. This data typically contains information such as timestamps, IP addresses, user actions, error messages, and other details about the use or operation of a system. Log data is often used for analyzing system problems, security monitoring, or creating performance reports.
• Reach measurement: Reach measurement (also referred to as web analytics) serves to evaluate visitor flows to an online offering and may include visitors’ behavior or interests in certain information, such as content of websites. With the help of reach analysis, operators of online offerings can, for example, recognize at what time users visit their websites and what content they are interested in. This allows them, for example, to better adapt the content of the websites to the needs of their visitors. Pseudonymous cookies and web beacons are frequently used for reach analysis purposes to recognize returning visitors and thus obtain more accurate analyses of the use of an online offering.
• Tracking: “Tracking” refers to the ability to track users’ behavior across multiple online offerings. As a rule, with regard to the online offerings used, behavioral and interest information is stored in cookies or on servers of the tracking technology providers (so-called profiling). This information can subsequently be used, for example, to display advertisements to users that presumably correspond to their interests.
• Controller: “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers practically any handling of data, whether it be collection, evaluation, storage, transmission, or deletion.
• Contract data: Contract data is specific information relating to the formalization of an agreement between two or more parties. It documents the conditions under which services or products are provided, exchanged, or sold. This data category is essential for managing and fulfilling contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include start and end dates of the contract, the type of agreed services or products, price agreements, payment terms, cancellation rights, renewal options, and special conditions or clauses. It serves as the legal basis for the relationship between the parties and is crucial for clarifying rights and obligations, enforcing claims, and resolving disputes.
• Payment data: Payment data includes all information required for processing payment transactions between buyers and sellers. This data is crucial for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank details, payment amounts, transaction data, verification numbers, and billing information. Payment data may also include information about payment status, chargebacks, authorizations, and fees.

Audience building: Audience building (English “Custom Audiences”) refers to determining target groups for advertising purposes, e.g., displaying advertisements. For example, based on a user’s interest in certain products or topics on the Internet, it can be concluded that this user is interested in advertisements for similar products or the online shop in which they viewed the products. “Lookalike Audiences” (or similar target groups) refers to content considered suitable being displayed to users whose profiles or interests presumably correspond to the users for whom the profiles were created. Cookies and web beacons are generally used for the purposes of creating custom audiences and lookalike audiences