Privacy policy

Introduction

With the following privacy policy, we would like to inform you about the types of personal data we process (hereinafter also referred to as "data"), for what purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our web pages, in mobile applications, and where we otherwise have an online presence, such as our social media profiles (hereinafter collectively referred to as our "online offering").

We have kept our language gender-neutral.

Status: March 1, 2021

Table of contents

• Introduction
• Data controller
• Processing overview
• Contact details of data protection officer
• Relevant legal bases
• Security measures
• Transfer of personal data
• Data processing in third countries
• Use of cookies
• Business services
• Payment service providers
• Provision of our online offering and web hosting
• Specific information regarding applications (apps)
• Registration, login, and user account
• Single sign-on
• Blogs and publication media
• Making contact
• Communication using messenger services
• Video conferencing, online meetings, webinars, and screen sharing
• Application procedure
• Cloud services
• Newsletter and electronic notifications
• Promotional communication by email, post, fax, or telephone
• Prize draws and competitions
• Web analytics, monitoring, and optimization
• Online marketing
• Presence on social networking sites (social media)
• Plug-ins and embedded features and content
• Management, organization, and auxiliary tools
• Data deletion
• Modifications and updates to the privacy policy
• Rights of the data subjects
• Definitions of terms

Data controller

itl Institut für technische Literatur AG
Elsenheimerstraße 65-67
80687 Munich, Germany
Germany

Authorized representatives: Diana Langfahl, Peter Kreitmeier.

Email address: info@itl.eu.

Tel.: +49 89 892623-0.

Legal notice: https://www.itl.eu/de/site-services/impressum.html.

Contact details of data protection officer

Oliver Kunert
External data protection officer

itl-datenschutz@itl.eu (preferred contact channel)

Processing overview

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed

• General data (e.g., names, addresses).
• Applicant data (e.g., personal details, postal and contact addresses, the documents belonging to the application and the information contained therein, such as cover letter, curriculum vitae, certificates, references, as well as other personal or qualification-related information disclosed by applicants with regard to a specific position or voluntarily).
• Content data (e.g., entries in online forms).
• Contact information (e.g., email, phone numbers).
• Meta data/communication data (e.g., device information, IP addresses).
• Usage data (e.g., web pages visited, interest in content, access times).
• Contract data (e.g., subject matter of the contract, term, customer category).
• Payment data (e.g., bank details, invoices, payment history).

Categories of data subjects

• Staff members (e.g., current employees, applicants, former employees).
• Applicants.
• Business and contractual partners.
• Interested parties.
• Communication partners.
• Customers.
• Users (e.g., website visitors, users of online services).
• Participants in prize draws and competitions.

Processing purposes

• Login procedure.
• Provision of our online offering and user friendliness.
• Conversion measurement (measurement of the effectiveness of marketing measures).
• Application procedure (establishment and any subsequent execution as well as possible subsequent termination of the employment relationship).
• Office and organizational procedures.
• Direct marketing (e.g., by email or post).
• Conducting prize draws and competitions.
• Feedback (e.g., gathering feedback via an online form).
• Marketing.
• Contact requests and communication.
• Profiles with user-related information (creation of user profiles).
• Reach measurement (e.g., access statistics, detection of returning visitors).
• Security measures.
• Surveys and questionnaires (e.g., surveys with input options, multiple-choice questions).
• Provision of contractual services and customer service.
• Managing and responding to inquiries.

Relevant legal bases

Below you will find an overview of the legal bases of the GDPR on which we base the processing of personal data. Please note that in addition to the provisions of the GDPR, the national data protection provisions of your or our country of residence or domicile may apply. If, in addition, more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6(1)(a) of the GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Contract performance and pre-contractual requests (Art. 6(1)(b) of the GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6(1)(c) of the GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Fulfillment of public interests (Art. 6(1)(e) of the GDPR) - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Legitimate interests (Art. 6(1)(f) of the GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
• Application procedure as a pre-contractual or contractual relationship (Art. 9(2)(b) of the GDPR) - Insofar as special categories of personal data within the meaning of Art. 9(1) of the GDPR (e.g., health data, such as severely disabled status, or ethnic origin) are disclosed by applicants as part of the application procedure, the processing of such data is carried out in accordance with Art. 9(2)(b) of the GDPR for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, in accordance with Art. 9(2)(c) of the GDPR to protect the vital interests of the applicants or other persons, or in accordance with Art. 9(2)(h) of the GDPR for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services. If special categories of data are disclosed on the basis of voluntary consent, such data shall be processed on the basis of Art. 9(2)(a) of the GDPR.

National data protection regulations in Germany: In addition to the data protection regulations of the General Data Protection Regulation, national regulations on data protection apply in Germany. In particular, these include the Act on the Protection against Misuse of Personal Data in Data Processing (German Federal Data Protection Act – BDSG). In particular, the BDSG contains special provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transfer, as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for the purposes of employment relationships (Section 26 of the BDSG), in particular with regard to the establishment, execution or termination of employment relationships as well as the consent of employees. Regional data protection laws of the individual German federal states may also apply.

Security measures

We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk in accordance with legal requirements, taking into account the state of the art, the implementation costs, and the nature, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons.

In particular, this includes ensuring the confidentiality, integrity and availability of data by implementing control measures for physical and electronic access to the data as well as for gaining entry to, inputting, disclosing, ensuring the availability of and segregating the data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data compromise. Moreover, we take the protection of personal data into account as early as the development or selection of hardware, software and processes in accordance with the principle of data protection, through technology design and through default settings that are in keeping with data protection.

IP address shortening: If IP addresses are processed by us or by the service providers and technologies used and the processing of a full IP address is not required, the IP address is shortened (also referred to as "IP masking"). As part of this, the last two digits or the last part of the IP address after a dot are removed or replaced by placeholders. The shortening of the IP address is intended to prevent or make it significantly more difficult to identify a person by their IP address.

SSL encryption (https): To protect the data you transmit via our online offering, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.

Transfer of personal data

In the course of our processing of personal data, the data may be transferred to or disclosed to other entities, companies, legally independent organizational units, or persons. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a web page. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data in order to protect your data.

Data transfer within the corporate group:

We may transfer personal data to other companies within our corporate group or grant them access to this data. Insofar as this transfer is for administrative purposes, the transfer of data is based on our legitimate corporate and business interests or takes place insofar as it is necessary for the fulfillment of our contract-related obligations or if there is consent from the data subjects or legal permission.

Data processing in third countries

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, entities or companies, this will only be done in accordance with legal requirements.

Except in the case of express consent or contractually or legally required transfer, we only process or have data processed in third countries with a recognized level of data protection, a contractual obligation through standard protection clauses of the EU Commission, certificates, or binding internal data protection regulations (Art. 44 to 49 of the GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

Use of cookies

Cookies are text files that contain data from visited websites or domains and are stored by a browser on the user's computer. A cookie is primarily used to store information about a user during or after their visit to an online offering. Stored information may include, for example, language settings on a website, login status, a shopping cart, or where a video was watched. In our interpretation, the term "cookies" also includes other technologies that perform the same functions as cookies (e.g., when user information is stored by means of pseudonymous online identifiers, also referred to as "user IDs").

Below is an explanation of the various cookie types and functions:

• Temporary cookies (also referred to as session cookies): Temporary cookies are deleted at the latest when a user leaves an online offering and closes their browser.
• Permanent cookies: Permanent cookies continue to be stored even after the browser has been closed. Among other things, that allows the login status to be saved or preferred content to be immediately displayed when the user revisits a website. The interests of users can also be stored in this type of cookie in order to measure reach or for marketing purposes.
• First-party cookies: First-party cookies are set by us.
• Third-party cookies: Third-party cookies are mainly used by advertisers (third parties) to process user information.
• Necessary cookies (also referred to as essential or strictly necessary cookies): Cookies may be strictly necessary for the operation of a website (for example to store logins or other user entries or for security reasons).
• Statistical, marketing and personalization cookies: In addition, cookies are generally also used in the context of reach measurement and when a user's interests or behavior (viewing certain content, using features, etc.) on individual web pages are stored in a user profile. Such profiles are used, for example, to show users content that matches their potential interests. This process is also called "tracking", i.e., tracking the potential interests of users. In the event that we use cookies or "tracking" technologies, we will inform you separately in our privacy policy or in the context of obtaining consent.

Notes on legal bases: The legal basis on which we process your personal data using cookies depends on whether we ask you for consent. If this applies and you consent to the use of cookies, the legal basis for the processing of your data is the declared consent. Otherwise, the data processed with the help of cookies will be done so on the basis of our legitimate interests (e.g., to operate our online offering for business purposes and improve it) or if the use of cookies is necessary to fulfill our contractual obligations.

Storage period: If we do not provide you with explicit information about the storage period of permanent cookies (e.g., in the context of a cookie opt-in step), please assume that the storage period can be up to two years.

General information on revocation and objection (opt-out): Depending on whether the processing is based on consent or legal permission, you have the option at any time to revoke any consent you have given or to object to the processing of your data by cookie technologies (collectively referred to as "opt-out"). You can initially declare your objection via your browser settings, for example by disabling the use of cookies (although this may also limit the functionality of our online offering). You can also object to the use of cookies for online marketing purposes by means of a variety of services, especially in the case of tracking, on the websites https://optout.aboutads.info and https://www.youronlinechoices.com/. In addition, you can find further instructions on how to object in the information provided on the service providers and cookies used.

Processing of cookie data based on consent: We use a cookie consent management procedure whereby the consent of users can be obtained in relation to the use of cookies or the processing operations and providers mentioned in the cookie consent management procedure and whereby users can manage and revoke their consent. As part of this, the declaration of consent is stored so that it does not have to be repeated and the consent can be proven in accordance with the legal obligation. The storage can take place on the server side and/or in a cookie (in what is referred to as an opt-in cookie or with the help of similar technologies) in order to be able to assign the consent to a user or their device. Unless otherwise stipulated in the individual information provided on the cookie management service providers, the following applies: The duration of the storage of consent can be up to two years. Here, a pseudonymous user identifier is formed and stored with the time of consent, information on the scope of consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and end device used.

Cookie settings/objection option:

https://www.cookiebot.com/en/

• Types of data processed: usage data (e.g., web pages visited, interest in content, access times), meta data/communication data (e.g., device information, IP addresses).
• Data subjects: users (e.g., website visitors, users of online services).
• Legal bases: consent (Art. 6(1)(a) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR).

Services and service providers used:

• Cookiebot: cookie consent management; service provider: Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark; website: https://www.cookiebot.com/en/; privacy policy: https://www.cookiebot.com/en/privacy-policy/; data stored (on the service provider's server): the user's IP number in anonymized form (the last three digits are set to 0), the date and time of consent, browser details, the URL from which the consent was sent, an anonymous, random and encrypted key value; the user's consent status.

Business services

We process data of our contractual and business partners, e.g., customers and interested parties (collectively referred to as "contractual partners"), in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual (or pre-contractual) partners, for example to answer inquiries.

We process this data to fulfill our contractual obligations, to safeguard our rights, and for the purposes of the administrative tasks associated with this information as well as for business organization. Within the framework of applicable law, we only disclose the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or for the fulfillment of legal obligations or with the consent of the data subjects (e.g., to involved telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). The contractual partners will be informed about further forms of processing, e.g., for marketing purposes, within the scope of this privacy policy.

We inform the contractual partners about which data is required for the aforementioned purposes before or in the course of data collection, for example in online forms, by means of special marking (e.g., colors), symbols (e.g., asterisks or similar), or in person.

We delete the data after the expiry of legal warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, for example, and it must be retained for legal archiving reasons (e.g., generally 10 years for tax purposes). We delete data disclosed to us by the contractual partner as part of an order in accordance with the specifications of the order.

Insofar as we use third-party providers or platforms to render our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.

Customer account: Contractual partners can create an account within our online offering (e.g., customer or user account, "customer account" for short). If a customer account needs to be registered, contractual partners will be informed of this as well as of the information required for registration. Customer accounts are not public and cannot be indexed by search engines. Within the scope of registration and subsequent logins and use of the customer account, we store the IP addresses of the customers along with the access times in order to prove registration and to be able to prevent any misuse of the customer account.

If customers cancel their customer account, the data pertaining to the customer account will be deleted, unless it needs to be retained for legal reasons. It is the responsibility of the customers to back up their data upon cancellation of their customer account.

Agency services: We process the data of our customers as part of our contractual services, which may include, for example, conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes, handling, server administration, data analysis/consulting services, and training services.

Project and development services: We process the data of our customers and clients (hereinafter collectively referred to as "customers") in order to enable them to select, purchase or commission the selected services or work and related activities as well as to facilitate the payment, provision, execution or performance thereof.

The required information is identified as such upon entering into the assignment, purchase order or comparable contract and includes the information required for service provision and billing as well as contact information in order to be able to discuss details where applicable. To the extent that we obtain access to information pertaining to end users, employees or other persons, we process this in accordance with legal and contractual requirements.

Offering software and platform services: We process the data of our users, registered users and any test users (hereinafter collectively referred to as "users") in order to be able to provide our contractual services to them and on the basis of legitimate interests in order to ensure the security of our offering and to be able to develop it further. The required information is identified as such upon entering into the assignment, purchase order or comparable contract and includes the information required for service provision and billing as well as contact information in order to be able to discuss details where applicable.

Events: We process the data of those participating in events or similar activities offered or hosted by us (hereinafter collectively referred to as "participants" and "events") in order to enable them to participate in the events and to benefit from the services or promotions associated with participation.

If we process health-related, religious, political or other special categories of data in this context, then this is done within the scope of disclosure (e.g., for thematically oriented events), serves health care or security purposes, or is done with the consent of the data subjects.

The required information is identified as such upon entering into the assignment, purchase order or comparable contract and includes the information required for service provision and billing as well as contact information in order to be able to discuss details where applicable. To the extent that we obtain access to information pertaining to end users, employees or other persons, we process this in accordance with legal and contractual requirements.

Further information on commercial services: We process the data of our customers and clients (hereinafter collectively referred to as "customers") in order to enable them to select, purchase or commission the selected services or work and related activities as well as to facilitate the payment, delivery, execution or performance thereof.

The required information is identified as such upon entering into the assignment, purchase order or comparable contract and includes the information required for service provision and billing as well as contact information in order to be able to discuss details where applicable.

• Types of data processed: general data (e.g., names, addresses), payment data (e.g., bank details, invoices, payment history), contact information (e.g., email, phone numbers), contract data (e.g., subject matter of the contract, term, customer category), usage data (e.g., web pages visited, interest in content, access times), meta data/communication data (e.g., device information, IP addresses).
• Data subjects: interested parties, business and contractual partners, customers.
• Processing purposes: provision of contractual services and customer service, contact requests and communication, office and organizational procedures, managing and responding to inquiries, security measures.
• Legal bases: contract performance and pre-contractual requests (Art. 6(1)(b) of the GDPR), legal obligation (Art. 6(1)(c) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR).

Payment service providers

In the context of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and use other payment service providers in addition to banks and credit institutions for this purpose (collectively referred to as "payment service providers").

The data processed by the payment service providers includes general data, such as name and address, bank details, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as information relating to the contract, total amount and recipient. The information is necessary to carry out the transactions. However, the data entered is only processed and stored by the payment service providers. In other words, we do not receive any account or credit card information, but are only informed as to whether the payment was successful or failed. Under certain circumstances, the data may be transmitted by the payment service providers to credit agencies. The purpose of this transmission is to check the payer's identity and credit rating. In this regard, we refer to the terms and conditions and data protection notices of the payment service providers.

The terms and conditions and data protection notices of the respective payment service providers, which can be accessed on the respective websites or transaction applications, shall apply to the payment transactions. We also refer to these for further information and assertion of revocation, access and other data subject rights.

• Types of data processed: general data (e.g., names, addresses), payment data (e.g., bank details, invoices, payment history), contract data (e.g., subject matter of the contract, term, customer category), usage data (e.g., web pages visited, interest in content, access times), meta data/communication data (e.g., device information, IP addresses).
• Data subjects: customers, interested parties.
• Processing purposes: provision of contractual services and customer service.
• Legal bases: contract performance and pre-contractual requests (Art. 6(1)(b) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR).

Services and service providers used:

• PayPal: payment services and solutions (e.g., PayPal, PayPal Plus, Braintree); service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; website: https://www.paypal.com/en; privacy policy: https://www.paypal.com/us/webapps/mpp/ua/privacy-full?locale.x=en_us.

Provision of our online offering and web hosting

In order to provide our online offering securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the online offering can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services.

The data processed in the course of providing the hosting service may include all information concerning the users of our online offering that is generated in the course of use and communication. This routinely includes the IP address, which is necessary to be able to deliver the content of online offerings to browsers, and all entries made within our online offering or from web pages.

Collection of access data and log files: We ourselves (or our web hosting provider) collect data pertaining to every access to the server (referred to as server log files). The server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and generally IP addresses and the requesting provider.

The server log files may be used, on the one hand, for security purposes, for example to prevent server overload (especially in the case of abusive attacks, known as DDoS attacks) and, on the other hand, to ensure maximum utilization of the servers and their stability.

• Types of data processed: content data (e.g., entries in online forms), usage data (e.g., web pages visited, interest in content, access times), meta data/communication data (e.g., device information, IP addresses).
• Data subjects: users (e.g., website visitors, users of online services).
• Legal bases: legitimate interests (Art. 6(1)(f) of the GDPR).

Providing the website and creating log files 

Description and extent of the data processing 

The website or parts thereof are hosted on servers owned by service providers commissioned by us. 

Whenever our website is called up, our system automatically records data and information from the system of the computer being used to access the website. 

The following data is collected in this context:

• IP address (not shortened)
• Timestamp (date and time)
• Request protocol
• The requested URL path
• Status code
• Bytes sent
• Referrer
• User agent

This data is stored in the web host’s system. It is not stored together with other personal data of the user. 

Purpose and legal basis of the data processing 

The system must temporarily store the IP address in order to deliver the website to the user’s computer. 

The data is stored in log files in order to ensure that the website functions properly. The data also allows us to optimise the website and ensure the security of our IT systems. 

These purposes also constitute our legitimate interests in the data processing in accordance with Art. 6(1)(f) of the GDPR. 

Our provider also uses the log files in emergencies to identify and block malware and bots. For example, IP addresses calling up certain content numerous times are recorded. If such an IP address leads to a high load or overloading and we deem the IP address to be malicious, we block it. These purposes also constitute our legitimate interests in the data processing in accordance with Art. 6(1)(f) of the GDPR. 

Storage period 

The data is deleted as soon as it is no longer required for fulfilling the purpose of its collection. In cases where the data is collected in order to provide the website, the data is deleted when the current session ends. 

In cases where the data is stored in log files in order to ensure the security of the IT systems, the data is deleted after seven days at the latest. The provider does not make any backups of the log files. 

Right to object and right to erasure 

The data is collected for the purpose of providing the website, and the data needs to be stored in log files in order to operate the website. The user therefore does not have the right to object.

Providing the website and creating log files

Description and extent of the data processing

The website or parts thereof are hosted on servers owned by service providers commissioned by us. 

Whenever our website is called up, our system automatically records data and information from the system of the computer being used to access the website. 

The following data is collected in this context:

Specific information regarding applications (apps)

We process the data of the users of our application insofar as this is necessary to provide the users with the application and its functionalities, to monitor the application's security, and to further develop it. We may also contact users in compliance with legal requirements, provided that the communication is necessary for purposes of administration or use of the application. In all other respects, we refer to the data protection information in this privacy policy with regard to the processing of user data.

Legal bases: The processing of data required for the provision of the functionalities of the application serves the fulfillment of contractual obligations. This also applies if the provision of the functions requires user authorization (e.g., enabling device functions). If the processing of data is not necessary for the provision of the functionalities of the application, but serves the security of the application or our business interests (e.g., collection of data for the purpose of optimizing the application or security purposes), it is based on our legitimate interests. If users are expressly asked for their consent to the processing of their data, the processing of the data covered by the consent is based on the consent given.

Storage of a universally unique identifier (UUID): The application stores a universally unique identifier (UUID) for the purposes of analyzing the use and functionality of the application and storing user settings. This identifier is generated when this application is installed (but is not associated with the device, so it is not a device identifier in this sense), remains stored between the launch of the application and its updates, and is deleted when users remove the application from their device.

Device permissions for access to functions and data: The use of our application or its functionalities may require user permissions for access to certain functions of the devices used or to the data stored on the devices or accessible by means of the devices. By default, these permissions must be granted by the users and can be revoked at any time in the settings of the respective devices. The exact procedure for controlling app permissions can vary depending on the users' device and software. Users can contact us if they need clarification. We would like to point out that the denial or revocation of the respective permissions may affect the functionality of our application.

No location history and no movement profiles: Location data is only used for that particular moment in time and is not processed to create a location history or a movement profile of the devices used or their users.

• Types of data processed: general data (e.g., names, addresses), meta data/communication data (e.g., device information, IP addresses).
• Processing purposes: provision of contractual services and customer service.
• Legal bases: consent (Art. 6(1)(a) of the GDPR), contract performance and pre-contractual requests (Art. 6(1)(b) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR).

Registration, login, and user account

Users can create a user account. In the course of registration, users are asked for the required mandatory data, which is processed for the purpose of providing the user account on the basis of contractual obligation fulfillment. The processed data particularly includes the login information (user name, password as well as an email address).

Within the scope of using our registration and login functions and using the user account, we store the IP address and the time of the corresponding user action. The storage is based on our legitimate interests as well as those of users in terms of protection against misuse and other unauthorized use. As a general rule, this data will not be passed on to third parties unless it is necessary for pursuing our claims or there is a legal obligation to do so.

Users may be informed by email about processes relevant to their user account, such as technical changes.

Registration with real name: Due to the nature of our community, we ask users to only use our offering with their real name. The use of pseudonyms is thus not permitted.

Deletion of data after cancellation: If users cancel their user account, their data in relation to the user account will be deleted, except in the case of legal permission, obligation, or user consent.

It is the responsibility of the users to back up their data before the end of the contract if they cancel their user account. We are entitled to irretrievably delete all user data that was stored during the term of the contract.

• Types of data processed: general data (e.g., names, addresses), contact information (e.g., email, phone numbers), content data (e.g., entries in online forms), meta data/communication data (e.g., device information, IP addresses).
• Data subjects: users (e.g., website visitors, users of online services).
• Processing purposes: provision of contractual services and customer service, security measures, managing and responding to inquiries.
• Legal bases: contract performance and pre-contractual requests (Art. 6(1)(b) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR).

Single sign-on

Single sign-on is a method that allows users to log on to a provider of single sign-on procedures (e.g., a social networking site), including our online offering, by means of a user account. The prerequisite for single sign-on authentication is that users are registered with the respective single sign-on provider and enter the required access data in the online form provided for this purpose, or are already logged on to the single sign-on provider and confirm the single sign-on via a button.

The respective single sign-on provider directly authenticates this. In the course of such authentication, we receive both a user ID with the information that the user is logged in to the respective single sign-on provider under this user ID as well as an ID that cannot be used by us for other purposes (a "user handle"). Whether additional data is transmitted to us depends solely on the single sign-on procedure used, on the data releases selected as part of authentication, and also on which data users have released in the privacy or other settings of the user account held with the single sign-on provider. This can be different data depending on the single sign-on provider and the choice of users; usually it is the email address and the user name. The password entered as part of the single sign-on procedure for the single sign-on provider can neither be viewed by us nor is it stored by us.

Users are made aware that their details stored with us may be automatically synced with their user account held with the single sign-on provider, but that this is not always possible or actually occurs. If, for example, users' email addresses change, they must update them manually in their user account held with us.

We may use single sign-on as part of or prior to contract performance if agreed with users, process it as part of consent where users have been asked for this, and otherwise use it based on our legitimate interests and the interests of users in terms of having an effective and secure login system.

Should users ever decide that they no longer wish to use the link of their user account held with the single sign-on provider for the single sign-on procedure, they must remove this link within their user account held with the single sign-on provider. If users wish to delete their data stored by us, they must cancel their registration with us.

• Types of data processed: general data (e.g., names, addresses), contact information (e.g., email, phone numbers).
• Data subjects: users (e.g., website visitors, users of online services).
• Processing purposes: provision of contractual services and customer service, login procedure.
• Legal bases: consent (Art. 6(1)(a) of the GDPR), contract performance and pre-contractual requests (Art. 6(1)(b) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR).

Services and service providers used:

• Google single sign-on: authentication service; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://www.google.com; privacy policy: https://policies.google.com/privacy; objection option (opt-out): settings for the display of ads: https://adssettings.google.com/authenticated.
• Microsoft single sign-on: authentication service; service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; website: https://www.microsoft.com; privacy policy: https://privacy.microsoft.com/en-us/privacystatement, security information: https://www.microsoft.com/en-us/trust-center.
• OpenID single sign-on: authentication service; service provider: OpenID Foundation, 2400 Camino Ramon, Suite 375, San Ramon, CA 94583, USA; website: https://openid.net; privacy policy: https://openid.net/foundation/policies/.

Blogs and publication media

We use blogs or similar means of online communication and publication (hereinafter referred to as "publication media"). Readers' data is processed for the purposes of the publication media only to the extent necessary for its presentation and communication between authors and readers or for security reasons. In all other respects, we refer to the information in this privacy policy with regard to the processing of visitors to our publication media.

Comments and posts: When users leave comments or other posts, their IP addresses may be stored based on our legitimate interests. This is done for our security in case someone leaves illegal content in comments and posts (insults, prohibited political propaganda, etc.). In this case, we ourselves may be prosecuted for the comment or post, so it is in our interest to know the identity of the author.

Furthermore, we reserve the right to process user data for the purpose of spam detection on the basis of our legitimate interests.

On the same legal basis, in the case of surveys, we reserve the right to store the IP addresses of users for the duration of the survey being conducted and to use cookies to avoid multiple answering.

The personal information disclosed in the context of comments and posts, any contact and website information as well as the content-related information will be stored permanently by us until the user objects.

Comment subscriptions: Users can subscribe to follow-up comments by giving their consent. Users will receive a confirmation email to verify that they are the owner of the email address entered. Users can unsubscribe from current comment subscriptions at any time. The confirmation email will include instructions on how to cancel. For the purpose of proving user consent, we store the time of subscription along with the user's IP address and delete this information when the user unsubscribes.

You can cancel the receipt of our subscription at any time, i.e., revoke your consent. We may store unsubscribed email addresses for up to three years before deleting them on the basis of our legitimate interests to prove that consent was previously given. The processing of this data is limited to the purpose of potentially defending ourselves against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time.

• Types of data processed: general data (e.g., names, addresses), contact information (e.g., email, phone numbers), content data (e.g., entries in online forms), usage data (e.g., web pages visited, interest in content, access times), meta data/communication data (e.g., device information, IP addresses).
• Data subjects: users (e.g., website visitors, users of online services).
• Processing purposes: provision of contractual services and customer service, feedback (e.g., gathering feedback via an online form), security measures, managing and responding to inquiries, contact requests and communication.
• Legal bases: contract performance and pre-contractual requests (Art. 6(1)(b) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR), consent (Art. 6(1)(a) of the GDPR).

Making contact

When contacting us (e.g., via contact form, email, telephone, or social media), the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.

Contact requests are responded to in the context of contractual or pre-contractual relationships in order to fulfill our contractual obligations or to respond to (pre-)contractual inquiries and otherwise on the basis of legitimate interests in responding to the inquiries.

• Types of data processed: general data (e.g., names, addresses), contact information (e.g., email, phone numbers), content data (e.g., entries in online forms), payment data (e.g., bank details, invoices, payment history), contract data (e.g., subject matter of the contract, term, customer category), meta data/communication data (e.g., device information, IP addresses).
• Data subjects: communication partners, customers, users (e.g., website visitors, users of online services).
• Processing purposes: contact requests and communication, managing and responding to inquiries, feedback (e.g., gathering feedback via an online form), surveys and questionnaires (e.g., surveys with input options, multiple-choice questions).
• Legal bases: contract performance and pre-contractual requests (Art. 6(1)(b) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR), fulfillment of public interests (Art. 6(1)(e) of the GDPR).

Services and service providers used:

• HubSpot: customer support and service software (managing customer inquiries from various channels), ticketing system, feedback, satisfaction and other surveys; service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; website: https://www.hubspot.com; privacy policy: https://legal.hubspot.com/privacy-policy.

Communication using messenger services

We use messengers for communication purposes and therefore ask you to be aware of the following information on the functionality of the messengers, on encryption, on the use of the meta data of the communication, and on your objection options.

You can also contact us by alternative means, e.g., by telephone or email. Please use the contact details shared with you or the contact details specified within our online offering.

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), please note that the communication content (i.e., the content of the message and attached images) is encrypted from end to end. This means that the content of the messages is not viewable, not even by the messenger providers themselves. You should always use an up-to-date version of the messengers with encryption enabled to ensure that message content is encrypted.

However, we hereby additionally point out to our communication partners that although the providers of the messengers cannot view the content, they can find out if and when communication partners communicate with us and technical information about the device used by the communication partners and, depending on the settings of their device, also location information (referred to as meta data) is processed.

Notes on legal bases: If we ask communication partners for permission before communicating with them via a messenger service, the legal basis for our processing of their data is their consent. Otherwise, if we do not ask for consent and they contact us, for example, on their own initiative, we use messenger services in relation to our contractual partners as well as in the context of contract initiation as a contractual measure and in the case of other interested parties and communication partners on the basis of our legitimate interests in ensuring fast and efficient communication and meeting the needs of our communication partners with regard to communication via a messenger service. Furthermore, we would like to point out that we do not transmit the contact information provided to us to the messenger services for the first time without your consent.

Revocation, objection, and deletion: You can revoke any consent you have given at any time and object to communication with us via a messenger service at any time. In the case of communication via a messenger service, we delete the messages in accordance with our general deletion guidelines (that means, for example, as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that we have answered all the inquiries of the respective communication partner, if no reference to a previous conversation is to be expected, and the deletion does not conflict with any legal retention obligations.

Right to insist on other communication channels: Finally, we would like to point out that, for reasons of your security, we reserve the right not to answer inquiries via messenger services. This is the case if, for example, information contained in a contract requires a particular level of confidentiality or a reply via a messenger service would not meet formal requirements. In such cases, we will suggest more adequate communication channels to you.

• Types of data processed: contact information (e.g., email, phone numbers), usage data (e.g., web pages visited, interest in content, access times), meta data/communication data (e.g., device information, IP addresses), content data (e.g., entries in online forms).
• Data subjects: communication partners.
• Processing purposes: contact requests and communication, direct marketing (e.g., by email or post).
• Legal bases: consent (Art. 6(1)(a) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR).

Services and service providers used:

• Microsoft Teams: Microsoft Teams - messenger; service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; website: https://products.office.com; privacy policy: https://privacy.microsoft.com/en-us/privacystatement, security information: https://www.microsoft.com/en-us/trust-center.

Video conferencing, online meetings, webinars, and screen sharing

We use platforms and applications of other providers (hereinafter referred to as "third-party providers") for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings. When selecting third-party providers and their services, we observe legal requirements.

In this context, data of the communication participants is processed and stored on the servers of the third-party providers insofar as they are part of communications with us. This data may include, in particular, registration and contact information, visual as well as vocal contributions, entries in chats, and shared screen content.

If users are referred to the third-party providers or their software or platforms in the course of communication, business or other relationships with us, the third-party providers may process usage data and meta data for security, service optimization or marketing purposes. We therefore ask you to take into account the data protection notices of the respective third-party providers.

Notes on legal bases: If we ask users for their consent to use the third-party providers or certain functions (e.g., consent to a recording of conversations), the legal basis of the processing is this consent. Furthermore, their use may form part of our (pre-)contractual services, provided that the use of the third-party providers has been agreed within this framework. Otherwise, user data is processed on the basis of our legitimate interests in ensuring efficient and secure communication with our communication partners. In this context, we would additionally like to refer you to the information on the use of cookies in this privacy policy.

• Types of data processed: general data (e.g., names, addresses), contact information (e.g., email, phone numbers), content data (e.g., entries in online forms), usage data (e.g., web pages visited, interest in content, access times), meta data/communication data (e.g., device information, IP addresses).
• Data subjects: communication partners, users (e.g., website visitors, users of online services).
• Processing purposes: provision of contractual services and customer service, contact requests and communication, office and organizational procedures.
• Legal bases: consent (Art. 6(1)(a) of the GDPR), contract performance and pre-contractual requests (Art. 6(1)(b) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR).

Services and service providers used:

• GoToMeeting: conferencing software; service provider: LogMeIn Ireland Limited, Bloodstone Building Block C 70, Sir John Rogerson's Quay Dublin 2, Ireland, parent company: LogMeIn, Inc., 320 Summer Street, Boston, MA 02210 320 Summer Street, Boston, Massachusetts 02210, USA; website: https://www.gotomeeting.com; privacy policy: https://www.logmein.com/legal/privacy.
• Microsoft Teams: messenger and conferencing software; service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; website: https://products.office.com; privacy policy: https://privacy.microsoft.com/en-us/privacystatement, security information: https://www.microsoft.com/en-us/trust-center.

Application procedure

The application procedure requires applicants to provide us with the data necessary for their evaluation and selection. The information required can be found in the job description or, in the case of online forms, in the specifications provided there.

As a general rule, the required information includes personal information, such as name, address, contact details, as well as evidence of the qualifications required for a position. Upon request, we will be happy to provide additional information on which details are required.

If provided, applicants may submit their applications to us using an online form. Here, the data is transmitted to us in encrypted form according to the state of the art. Applicants can also send us their applications by email. However, please note that emails on the Internet are generally not sent in encrypted form. Emails are generally encrypted in transit, but not on the servers from which they are sent and received. Therefore, we cannot take responsibility for the transmission path of the application between the sender and receipt of the application on our server.

For the purposes of applicant searches, the submission of applications, and the selection of applicants, we may use applicant management or recruitment software and platforms and services of third-party providers in compliance with legal requirements.

Applicants are welcome to contact us regarding the method of application submission or send us the application by post.

Processing of special categories of data: Insofar as special categories of personal data within the meaning of Art. 9(1) of the GDPR (e.g., health data, such as severely disabled status, or ethnic origin) are disclosed by applicants as part of the application procedure, the processing of such data is carried out in accordance with Art. 9(2)(b) of the GDPR for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, in accordance with Art. 9(2)(c) of the GDPR to protect the vital interests of the applicants or other persons, or in accordance with Art. 9(2)(h) of the GDPR for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services. If special categories of data are disclosed on the basis of voluntary consent, such data shall be processed on the basis of Art. 9(2)(a) of the GDPR.

Deletion of data: The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if an application for a job vacancy is not successful, the applicant's data will be deleted. An applicant's data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Except in the case of a justified revocation by the applicant, the deletion takes place at the latest after the expiry of a period of six months so that we can answer any follow-up questions about the application and fulfill our obligations to provide evidence under the regulations on equal treatment of applicants. Invoices for any reimbursement of travel expenses are archived in accordance with tax law requirements.

Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process, and that they can revoke their consent at any time for the future.

Duration of data retention in the applicant pool in months: 6 months for applicants for permanent employment, 60 months for applicants for freelance work.

• Types of data processed: applicant data (e.g., personal details, postal and contact addresses, the documents belonging to the application and the information contained therein, such as cover letter, curriculum vitae, certificates, references, as well as other personal or qualification-related information disclosed by applicants with regard to a specific position or voluntarily).
• Data subjects: applicants.
• Processing purposes: application procedure (establishment and any subsequent execution as well as possible subsequent termination of the employment relationship).
• Legal bases: application procedure as a pre-contractual or contractual relationship (Art. 9(2)(b) of the GDPR).

Cloud services

We use software services that can be accessed via the Internet and are run on the servers of their providers (referred to as "cloud services" or "software as a service") for the following purposes: document storage and management, calendar management, emailing, spreadsheets and presentations, sharing documents, content and information with specific recipients or publishing web pages, forms or other content and information, as well as chats and participation in audio and video conferences.

In this context, personal data may be processed and stored on the servers of the providers insofar as these are part of communications with us or are otherwise processed by us as set out in the context of this privacy policy. This data may include, in particular, master data and contact information of users, data on transactions, contracts, other processes and their contents. The cloud service providers also process usage data and meta data, which they use for security purposes and service optimization.

If we use the cloud services to make forms, documents and content, etc., available to other users or publicly accessible websites, the providers may store cookies on users' devices for the purposes of web analytics or to remember users' settings (e.g., in the case of media control).

Notes on legal bases: If we ask for consent to use the cloud services, the legal basis of the processing is this consent. Furthermore, their use may form part of our (pre-)contractual services, provided that the use of the cloud services has been agreed within this framework. Otherwise, user data is processed on the basis of our legitimate interests (i.e., an interest in ensuring efficient and secure management and collaboration processes).

• Types of data processed: general data (e.g., names, addresses), contact information (e.g., email, phone numbers), content data (e.g., entries in online forms), usage data (e.g., web pages visited, interest in content, access times), meta data/communication data (e.g., device information, IP addresses).
• Data subjects: customers, staff members (e.g., current employees, applicants, former employees), interested parties, communication partners.
• Processing purposes: office and organizational procedures.
• Legal bases: consent (Art. 6(1)(a) of the GDPR), contract performance and pre-contractual requests (Art. 6(1)(b) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR).

Services and service providers used:

• Google cloud services: cloud storage services; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://cloud.google.com/; privacy policy: https://www.google.com/policies/privacy, security information: https://cloud.google.com/security/privacy; standard contractual clauses (ensuring level of data protection for processing in third countries): https://cloud.google.com/terms/data-processing-terms.
• Microsoft cloud services: cloud storage services; service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; website: https://microsoft.com/en-us; privacy policy: https://privacy.microsoft.com/en-us/privacystatement, security information: https://www.microsoft.com/en-us/trust-center.

Newsletter and electronic notifications

We send newsletters, emails and other electronic notifications (hereinafter referred to as "newsletter") only with the consent of the recipients or in the case of legal permission. Insofar as the content of the newsletter is specifically described in the course of subscribing to the newsletter, this defines the scope of the user's consent. Otherwise, our newsletter contains information about our services and us.

To subscribe to our newsletter, it is generally sufficient to enter your email address and your first and last name.

Double opt-in method: When subscribing to our newsletter, a double opt-in method is used as a general rule. This means that an email will be sent to you after subscribing where you will be asked to confirm your subscription. This confirmation is necessary to ensure that no one can subscribe using a third-party email address. Subscriptions to the newsletter are logged in order to be able to prove the subscription process in accordance with legal requirements. This includes storing the subscription and confirmation time as well as the IP address.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years before deleting them on the basis of our legitimate interests to prove that consent was previously given. The processing of this data is limited to the purpose of potentially defending ourselves against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address in a blocklist for this purpose alone.

The subscription process is logged on the basis of our legitimate interests for the purpose of proving its proper course. If we commission a service provider to send emails, this is done on the basis of our legitimate interests in ensuring an efficient and secure email sending system.

Notes on legal bases: The newsletter is sent on the basis of the recipients' consent or, if consent is not required, on the basis of our legitimate interests in direct marketing, if and to the extent that this is permitted by law, e.g., in the case of existing customer advertising. If we commission a service provider to send emails, this is done on the basis of our legitimate interests. The subscription process is recorded on the basis of our legitimate interests to prove that it has been carried out in accordance with the law.

Content: information about us, our services, promotions, and offers.

• Types of data processed: general data (e.g., names, addresses), contact information (e.g., email, phone numbers), meta data/communication data (e.g., device information, IP addresses), usage data (e.g., web pages visited, interest in content, access times).
• Data subjects: communication partners.
• Processing purposes: direct marketing (e.g., by email or post).
• Legal bases: consent (Art. 6(1)(a) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR).
• Objection option (opt-out): You can cancel the receipt of our newsletter at any time, i.e., revoke your consent or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or you can use one of the contact options given above, preferably email, for this purpose.

Promotional communication by email, post, fax, or telephone

We process personal data for the purposes of promotional communication, which may take place via various channels, such as email, telephone, post or fax, in accordance with legal requirements.

Recipients have the right to revoke any consent they have given at any time or to object to promotional communication at any time.

After revocation or objection, we may store the data required to prove consent for up to three years before deleting it on the basis of our legitimate interests. The processing of this data is limited to the purpose of potentially defending ourselves against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time.

• Types of data processed: general data (e.g., names, addresses), contact information (e.g., email, phone numbers).
• Data subjects: communication partners.
• Processing purposes: direct marketing (e.g., by email or post).
• Legal bases: consent (Art. 6(1)(a) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR).

Prize draws and competitions

We process personal data of participants in prize draws and competitions only in compliance with the relevant data protection provisions, insofar as the processing is contractually necessary for the provision, implementation and completion of the prize draw/competition, the participants have consented to the processing, or the processing serves our legitimate interests (e.g., in ensuring the security of the prize draw/competition or protecting our interests against misuse through possible recording of IP addresses when submitting prize draw/competition entries).

If entries from participants are published as part of the prize draw/competition (e.g., as part of a vote or presentation of the prize draw/competition entries or the winners or reporting on the prize draw/competition), we would like to point out that the names of the participants may also be published in this context. Participants may object to this at any time.

If the prize draw/competition takes place on an online platform or a social networking site (e.g., Facebook or Instagram, hereinafter referred to as "online platform"), the terms of use and data protection provisions of the respective platforms shall also apply. In these cases, we would like to point out that we are responsible for the participant information disclosed as part of the prize draw/competition and that inquiries with regard to the prize draw/competition should be directed to us.

The participants' data will be deleted as soon as the prize draw/competition has ended and the data is no longer required to inform the winners or because inquiries about the prize draw/competition are no longer to be expected. As a general rule, the participants' data will be deleted no later than 6 months after the end of the prize draw/competition. Winners' data may be retained for a longer period of time, e.g., in order to answer queries about the prizes or to fulfill the prize obligations; in this case, the retention period depends on the type of prize and is up to three years for items or services, for example, in order to be able to process warranty claims. Furthermore, the participants' data may be stored for a longer period of time, e.g., in the form of reporting on the prize draw/competition in online and offline media.

If data was also collected for other purposes within the scope of the prize draw/competition, its processing and the retention period shall be governed by the data protection notices regulating this use (e.g., in the case of subscription to the newsletter as part of a prize draw/competition).

• Types of data processed: general data (e.g., names, addresses), content data (e.g., entries in online forms).
• Data subjects: participants in prize draws and competitions.
• Processing purposes: conducting prize draws and competitions.
• Legal bases: contract performance and pre-contractual requests (Art. 6(1)(b) of the GDPR).

Web analytics, monitoring, and optimization

Web analytics (also referred to as "reach measurement") is used to evaluate the flow of visitors to our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, identify at what time our online offering or its functions or content are most frequently used or invite visitors to reuse them. Likewise, we can understand which areas need optimizing.

In addition to web analytics, we may also use testing procedures, for example to test and optimize different versions of our online offering or its components.

For these purposes, what are known as user profiles may be created and stored in a file (referred to as a "cookie") or similar procedures may be used with the same purpose. This information may include, for example, content viewed, web pages visited and elements used there, and technical information such as the browser used, the computer system used and information about usage times. If users have consented to the collection of their location data, this may also be processed depending on the provider.

The IP addresses of users are also stored. However, we use an IP masking method (i.e., pseudonymization by shortening the IP address) to protect users. In general, the data stored in the context of web analytics, A/B testing and optimization is not clear data of users (such as email addresses or names), but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

Notes on legal bases: If we ask users for their consent to use the third-party providers, the legal basis for processing data is this consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., an interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

Settings/objection option:

• Types of data processed: usage data (e.g., web pages visited, interest in content, access times), meta data/communication data (e.g., device information, IP addresses).
• Data subjects: users (e.g., website visitors, users of online services).
• Processing purposes: reach measurement (e.g., access statistics, detection of returning visitors), profiles with user-related information (creation of user profiles).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal bases: consent (Art. 6(1)(a) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR).

Services and service providers used:

• Matomo: The information generated by the cookie about your use of this website is stored only on our server and is not shared with third parties; service provider: self-hosted web analytics/reach measurement; website: https://matomo.org/.
• SISTRIX: reach measurement and web analytics; service provider: SISTRIX GmbH, Thomas-Mann-Straße 37, 53111 Bonn, Germany; website and privacy policy (latter only in German).

Online marketing

We process personal data for online marketing purposes, which may include, in particular, marketing advertising space or displaying promotional and other content (collectively referred to as "content") based on users' potential interests and measuring the effectiveness of these measures.

For these purposes, what are known as user profiles are created and stored in a file (referred to as a "cookie") or similar procedures are used, by means of which the user data relevant to displaying the aforementioned content is stored. This data may include, for example, content viewed, web pages visited, online networks used, as well as communication partners and technical information such as the browser used, the computer system used and information about usage times. If users have consented to the collection of their location data, this may also be processed.

The IP addresses of users are also stored. However, we use available IP masking methods (i.e., pseudonymization by shortening the IP address) to protect users. In general, the data stored in the context of the online marketing process is not clear data of users (such as email addresses or names), but pseudonyms. This means that we, as well as the providers of the online marketing methods, do not know the actual identity of the users, but only the information stored in their profiles.

The information in the profiles is usually stored in the cookies or by means of similar procedures. These cookies can generally also be read later on other websites that use the same online marketing method and analyzed for the purpose of displaying content as well as supplemented with further data and stored on the server of the online marketing method provider.

In exceptional cases, clear data may be assigned to the profiles. This is the case if, for example, the users are members of a social network whose online marketing methods we use and the network links the users' profiles to the aforementioned information. We ask you to be aware that users may make additional agreements with the providers, e.g., by giving their consent as part of the registration process.

We generally only receive access to aggregate information about the success of our ads. However, in the context of conversion measurements, we can check which of our online marketing measures have led to a conversion, in other words to a contract being concluded with us, for example. Conversion measurement is used solely to analyze the success of our marketing efforts.

Unless otherwise stated, we ask you to assume that cookies used will be stored for a period of two years.

Notes on legal bases: If we ask users for their consent to use the third-party providers, the legal basis for processing data is this consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., an interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

• Types of data processed: usage data (e.g., web pages visited, interest in content, access times), meta data/communication data (e.g., device information, IP addresses).
• Data subjects: users (e.g., website visitors, users of online services).
• Processing purposes: marketing, profiles with user-related information (creation of user profiles), conversion measurement (measurement of the effectiveness of marketing measures).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal bases: consent (Art. 6(1)(a) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR).
• Objection option (opt-out): We refer to the data protection notices of the respective providers and the objection (opt-out) options given for the providers. If no explicit opt-out option has been specified, you have the option of disabling cookies in your browser settings. However, this may limit functions of our online offering. We therefore additionally recommend the following opt-out options, which are offered collectively for specific territories: a) Europe: https://www.youronlinechoices.eu, b) Canada: https://www.youradchoices.ca/choices, c) USA: https://www.aboutads.info/choices, d) Cross-territory: https://optout.aboutads.info.

Services and service providers used:

• Matomo: The information generated by the cookie about your use of this website is stored only on our server and is not shared with third parties; service provider: self-hosted web analytics/reach measurement; website: https://matomo.org/.

Presence on social networking sites (social media)

We have an online presence on social networking sites and process user data in this context in order to communicate with users active on them or to offer information about us.

We would like to point out that user data may be processed outside the European Union as part of this. This may give rise to risks for users because, for example, it could make it more difficult to enforce users' rights.

Furthermore, user data on social networking sites is usually processed for market research and advertising purposes. Usage profiles, for example, may thus be created based on the usage behavior and resulting interests of the users. The usage profiles may in turn be used, for example, to display ads within and outside the networks that presumably correspond to the users' interests. For these purposes, cookies are usually stored on the users' computers, in which the usage behavior and interests of the users are stored. Furthermore, data may also be stored in the usage profiles regardless of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

For a detailed presentation of the respective forms of processing and the objection (opt-out) options, we refer to the privacy policies and information provided by the operators of the respective networks.

Also in the case of requests for information and the assertion of data subject rights, we would like to point out that these can be asserted most effectively by contacting the providers. Only the providers have access to the users' data in each case and can directly take appropriate measures and provide information. If you still need help, then you can contact us.

• Types of data processed: contact information (e.g., email, phone numbers), content data (e.g., entries in online forms), usage data (e.g., web pages visited, interest in content, access times), meta data/communication data (e.g., device information, IP addresses).
• Data subjects: users (e.g., website visitors, users of online services).
• Processing purposes: contact requests and communication, feedback (e.g., gathering feedback via an online form), marketing.
• Legal bases: legitimate interests (Art. 6(1)(f) of the GDPR).

Services and service providers used:

• LinkedIn: social networking site; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; objection option (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
• Twitter: social networking site; service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland, parent company: Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; privacy policy: https://twitter.com/en/privacy, (settings) https://twitter.com/personalization.
• YouTube: social networking site and video platform; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; privacy policy: https://policies.google.com/privacy; objection option (opt-out): https://adssettings.google.com/authenticated.
• Xing: social networking site; service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; website: https://www.xing.com; privacy policy: https://privacy.xing.com/en/privacy-policy.

Plug-ins and embedded features and content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include, for example, graphics, videos, or city maps (hereinafter collectively referred to as "content").

The integration always requires the third-party providers of this content to process the IP address of users, since without the IP address they could not send the content to their browser. The IP address is thus required to display this content or these functions. We endeavor to use only content for which the respective providers use the IP address only for the purpose of delivering the content. Third-party providers may also use what are referred to as pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, visit time, and other information about the use of our online offering, as well as being linked to such information from other sources.

Notes on legal bases: If we ask users for their consent to use the third-party providers, the legal basis for processing data is this consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., an interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

Integration of third-party software, scripts or frameworks (e.g., jQuery): We integrate software from servers of other providers into our online offering (e.g., function libraries that we use for the purpose of displaying our online offering or making it user friendly). In the course of this, the respective providers collect the IP address of users and may process it for the purpose of transmitting the software to the users' browser and for security purposes, as well as for the evaluation and optimization of their offering.

• Types of data processed: usage data (e.g., web pages visited, interest in content, access times), meta data/communication data (e.g., device information, IP addresses), general data (e.g., names, addresses), contact information (e.g., email, phone numbers), content data (e.g., entries in online forms).
• Data subjects: users (e.g., website visitors, users of online services).
• Processing purposes: provision of our online offering and user friendliness, provision of contractual services and customer service, marketing, profiles with user-related information (creation of user profiles).
• Legal bases: legitimate interests (Art. 6(1)(f) of the GDPR), consent (Art. 6(1)(a) of the GDPR), contract performance and pre-contractual requests (Art. 6(1)(b) of the GDPR).

Services and service providers used:

• Font Awesome: display of fonts and symbols; service provider: Fonticons, Inc., 6 Porter Road Apartment 3R, Cambridge, MA 02140, USA; website: https://fontawesome.com/; privacy policy: https://fontawesome.com/privacy.
• Google Fonts: We integrate the fonts ("Google Fonts") provided by Google, as part of which the data of users is used solely for the purpose of displaying the fonts in the users' browser. The integration is based on our legitimate interests in a technically secure, maintenance-free and efficient use of fonts and their uniform display, while taking into account possible licensing restrictions for their integration. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://fonts.google.com/; privacy policy: https://policies.google.com/privacy.
• Google Maps: We integrate the maps of the "Google Maps" service provided by Google. The data processed may include, in particular, IP addresses and location data of users, which, however, are not collected without their consent (usually issued in the settings of their mobile devices); service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://cloud.google.com/maps-platform; privacy policy: https://policies.google.com/privacy; objection option (opt-out): opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=en, settings for the display of ads: https://adssettings.google.com/authenticated.
• LinkedIn plug-ins and content: LinkedIn plug-ins and content - These may include, for example, content such as images, videos or text and buttons that allow users to share content from this online offering within LinkedIn. Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; objection option (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
• reCAPTCHA: We integrate the "reCAPTCHA" function in order to be able to detect whether entries (e.g., in online forms) are being made by humans and not by automatically acting machines (known as "bots"). The data processed may include IP addresses, information about operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, time spent on web pages, previously visited web pages, interactions with reCAPTCHA on other web pages, possibly cookies, and results of manual recognition processes (e.g., answering questions asked or selecting objects in images). Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://www.google.com/recaptcha/; privacy policy: https://policies.google.com/privacy; objection option (opt-out): opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=en, settings for the display of ads: https://adssettings.google.com/authenticated.
• Twitter plug-ins and content: Twitter plug-ins and buttons - These may include, for example, content such as images, videos or text and buttons that allow users to share content from this online offering within Twitter. Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland, parent company: Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; website: https://twitter.com; privacy policy: https://twitter.com/en/privacy.
• YouTube videos: video content; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://www.youtube.com; privacy policy: https://policies.google.com/privacy; objection option (opt-out): opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=en, settings for the display of ads: https://adssettings.google.com/authenticated.
• Xing plug-ins and buttons: Xing plug-ins and buttons - These may include, for example, content such as images, videos or text and buttons that allow users to share content from this online offering within Xing. Service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; website: https://www.xing.com; privacy policy: https://privacy.xing.com/en/privacy-policy.

Management, organization, and auxiliary tools

We use services, platforms and software of other providers (hereinafter referred to as "third-party providers") for the purposes of organizing, managing, planning as well as providing our services. When selecting third-party providers and their services, we observe legal requirements.

In this context, personal data may be processed and stored on the servers of the third-party providers. This may involve various data that we process in accordance with this privacy policy. This data may include, in particular, master data and contact information of users, data on transactions, contracts, other processes and their contents.

If users are referred to the third-party providers or their software or platforms in the course of communication, business or other relationships with us, the third-party providers may process usage data and meta data for security, service optimization or marketing purposes. We therefore ask you to take into account the data protection notices of the respective third-party providers.

Notes on legal bases: If we ask users for their consent to use the third-party providers, the legal basis for processing data is this consent. Furthermore, their use may form part of our (pre-)contractual services, provided that the use of the third-party providers has been agreed within this framework. Otherwise, user data is processed on the basis of our legitimate interests (i.e., an interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

• Types of data processed: general data (e.g., names, addresses), contact information (e.g., email, phone numbers), content data (e.g., entries in online forms), usage data (e.g., web pages visited, interest in content, access times), meta data/communication data (e.g., device information, IP addresses).
• Data subjects: communication partners, users (e.g., website visitors, users of online services), business and contractual partners, staff members (e.g., current employees, applicants, former employees).
• Processing purposes: provision of contractual services and customer service, reach measurement (e.g., access statistics, detection of returning visitors), profiles with user-related information (creation of user profiles), feedback (e.g., gathering feedback via an online form), office and organizational procedures.

Services and service providers used:

• Confluence: software for the creation and administration of wiki & knowledge platforms; service provider: Atlassian, Inc. (San Francisco, Harrison Street Location), 1098 Harrison Street, San Francisco, California 94103, USA; website: https://www.atlassian.com/software/confluence; privacy policy: https://www.atlassian.com/legal/privacy-policy.
• DocuSign: DocuSign provides a digital transaction management platform to facilitate digital transactions involving the signing process of contract documents and other documents; service provider: DocuSign, Inc., 221 Main Street, Suite 1000, San Francisco, CA 94105, USA; website: https://www.docusign.com/; privacy policy: https://www.docusign.com/company/privacy-policy; processing as the data processor and data controller is based on approved binding corporate rules (Art. 47 of the GDPR) that ensure a level of data protection that complies with the requirements of the GDPR https://www.docusign.com/trust/privacy/binding-corporate-rules.
• HubSpot: social media publishing, reporting (e.g., traffic sources, access numbers, web analytics), contact management (e.g., contact forms, direct communication, and user segmentation), landing pages; service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; website: https://www.hubspot.com; privacy policy: https://legal.hubspot.com/privacy-policy.
• Mentimeter: creation of presentations and meetings with real-time feedback; service provider: Mentimeter AB, Alströmergatan 22 SE-112 47 Stockholm, Sweden; website: https://www.mentimeter.com; privacy policy: https://www.mentimeter.com/policies.
• Miro: online whiteboard and collaboration platform; service provider: Realtimeboard, Inc. dba Miro, 201 Spear Street Suite 1100, San Francisco, California 94105, USA; website: https://miro.com/; privacy policy: https://miro.com/legal/privacy-policy/.

Data deletion

The data processed by us will be deleted in accordance with legal requirements as soon as the respective consent given for processing it is revoked or other permissions cease to apply (e.g., if the purpose of processing this data has ceased to apply or processing is not required for the purpose).

If the data is not deleted because it is required for other and legally permissible purposes, its processing will be limited to these purposes. In other words, the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons pertaining to commercial or tax law or whose storage is necessary for asserting, exercising or defending legal claims or for protecting the rights of another natural or legal person.

As part of our data protection notices, we may provide users with further information regarding the deletion and retention of data that is specific to each processing scenario.

Modifications and updates to the privacy policy

We ask you to regularly acquaint yourself with the content of our privacy policy. We will adapt the privacy policy as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as changes require your cooperation (e.g., consent) or an individual notification in another form.

Where we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time so you should check the details before contacting them.

Rights of the data subjects

As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 of the GDPR:

• Right to object: You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Art. 6(1) of the GDPR, including profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you shall have the right to object at any time to processing of the personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
• Right to revoke consent: You shall have the right to revoke any consent you have given at any time.
• Right of access: You shall have the right to obtain confirmation as to whether or not data concerning you is being processed, and, where that is the case, access to this data and further information as well as copies of the data in accordance with legal requirements.
• Right to rectification: In accordance with legal requirements, you shall have the right to have incomplete data concerning you completed or to obtain the rectification of inaccurate data concerning you.
• Right to erasure and restriction of processing: In accordance with legal requirements, you shall have the right to obtain the erasure of data concerning you without undue delay or alternatively to obtain restriction of processing of the data.
• Right to data portability: In accordance with legal requirements, you shall have the right to receive data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, or to request that it be transmitted to another controller.
• Lodging a complaint with a supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you shall also have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR.

Supervisory authority responsible for us:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach, Germany
Tel. +49 (0)981 180093-0
Fax +49 (0)981 180093-800
poststelle@lda.bayern.de

Definitions of terms

This section provides you with an overview of the terms used in this privacy policy. Many of the terms are taken from the law and are defined especially in Art. 4 of the GDPR. The legal definitions are binding. The following explanations, on the other hand, are intended primarily to aid understanding. The terms are sorted alphabetically.

• IP masking: IP masking is a method of deleting the last octet, i.e., the last two numbers of an IP address, so that the IP address can no longer be used to uniquely identify a person. Therefore, IP masking is a means of pseudonymizing processing procedures, especially in online marketing.
• Conversion measurement: Conversion measurement (also known as "conversion tracking") is a method used to determine the effectiveness of marketing measures. For this purpose, a cookie is usually stored on the users' devices within the websites on which the marketing activities take place and then retrieved again on the target website. For example, we can use this to track whether the ads we have placed on other websites have been successful.
• Personal data: "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Profiles with user-related information: The processing of "profiles with user-related information", or "profiles" for short, includes any form of automated processing of personal data consisting of the use of this personal data to analyze, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include various information concerning demographics, behavior and interests, such as interaction with websites and their content, interests in certain content or products, click behavior on a website, location, etc.). Cookies and web beacons are often used for profiling purposes.
• Reach measurement: Reach measurement (also referred to as web analytics) is used to evaluate the flow of visitors to an online offering and may include visitors' behavior or interests in certain information, such as web page content. With the help of reach analysis, website owners can, for example, identify at what time visitors visit their website and what content they are interested in. This allows them, for example, to better adapt the content of the website to the needs of their visitors. For reach analysis purposes, pseudonymous cookies and web beacons are often used to detect returning visitors and thus obtain more precise analyses of the use of an online offering.
• Controller: "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is wide-ranging and encompasses practically every handling of data, be it collection, evaluation, storage, transmission, or erasure.