Privacy Policy

Preamble

With the following Privacy Policy, we would like to inform you about what types of your personal data (hereinafter also referred to simply as “data”) we process, for what purposes, and to what extent. This Privacy Policy applies to all processing of personal data carried out by us, both in the course of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (collectively referred to below as the “online offering”).

The terms used are not gender-specific.

Last updated: 12 February 2026

Table of Contents

Preamble
Controller
Overview of Processing
Relevant Legal Bases
Security Measures
Transfer of Personal Data
International Data Transfers
General Information on Data Storage and Deletion
Rights of Data Subjects
Business Services
Use of Online Platforms for Offer and Sales Purposes
Provision of the Online Offering and Web Hosting
Use of Cookies
Blogs and Publishing Media
Contact and Inquiry Management
Newsletters and Electronic Notifications
Advertising Communication via Email, Post, Fax, or Telephone
Web Analytics, Monitoring and Optimization
Online Marketing
Affiliate Programs and Affiliate Links
Presences in Social Networks (Social Media)
Plug-ins and Embedded Functions and Content
Changes and Updates
Definitions of Terms

Controller

Enya Morlok
Hermann-Sielckenstr.75
76530 Baden-Baden

Email address: enyastravels@gmail.com

Overview of Processing

The following overview summarizes the types of data processed, the purposes of processing, and refers to the affected persons.

Types of data processed

  • Master data.

  • Payment data.

  • Location data.

  • Contact data.

  • Content data.

  • Contract data.

  • Usage data.

  • Meta, communication, and procedural data.

  • Log data.

Categories of data subjects

  • Service recipients and clients.

  • Prospective customers.

  • Communication partners.

  • Users.

  • Business and contractual partners.

Purposes of processing

  • Provision of contractual services and fulfillment of contractual obligations.

  • Communication.

  • Security measures.

  • Direct marketing.

  • Reach measurement.

  • Tracking.

  • Office and organizational procedures.

  • Conversion measurement.

  • Audience building.

  • Affiliate tracking.

  • Organizational and administrative procedures.

  • Server monitoring and error detection.

  • Feedback.

  • Marketing.

  • Profiles with user-related information.

  • Provision of our online offering and user-friendliness.

  • IT infrastructure.

  • Public relations.

  • Sales promotion.

  • Business processes and business management procedures.

Relevant Legal Bases

Relevant legal bases under the GDPR

Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. If, in individual cases, more specific legal bases are relevant, we will inform you of this in the Privacy Policy.

  • Consent (Art. 6(1) sentence 1 lit. a GDPR) – The data subject has given consent to the processing of personal data relating to them for one or more specific purposes.

  • Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

  • Legal obligation (Art. 6(1) sentence 1 lit. c GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.

  • Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany

In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. This includes, in particular, the Act on the Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains, in particular, special provisions on the right of access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transfer as well as automated decision-making in individual cases including profiling. In addition, state data protection laws of the individual federal states may apply.

Security Measures

In accordance with the legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to data as well as access, input, disclosure, securing availability, and separation. We also have procedures in place to ensure the exercise of data subject rights, deletion of data, and responses to threats to data. Furthermore, we take the protection of personal data into account already in the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.

Securing online connections using TLS/SSL encryption technology (HTTPS)

To protect users’ data transmitted via our online services against unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cornerstones of secure data transmission on the internet. These technologies encrypt the information transferred between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and more secure version of SSL, ensures that all data transfers meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by “HTTPS” in the URL. This serves as an indicator for users that their data is transmitted securely and encrypted.

Transfer of Personal Data

In the course of processing personal data, it may occur that data is transmitted to other entities, companies, legally independent organizational units, or persons, or disclosed to them. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts and/or agreements with recipients that serve to protect your data.

International Data Transfers

Data processing in third countries

If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosing/transferring data to other persons, entities, or companies (which can be recognized by the postal address of the provider or by an explicit reference in this Privacy Policy), this always takes place in accordance with legal requirements.

For transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which has been recognized as a secure legal framework by an EU Commission adequacy decision dated 10 July 2023. In addition, we have concluded Standard Contractual Clauses with the respective providers, in accordance with EU Commission requirements, which define contractual obligations for protecting your data.

This dual safeguard ensures comprehensive protection of your data: the DPF forms the primary level of protection, while the Standard Contractual Clauses serve as an additional safeguard. Should changes occur within the DPF framework, the Standard Contractual Clauses apply as a reliable fallback. This ensures that your data remains adequately protected even in the event of political or legal changes.

For individual service providers, we inform you whether they are certified under the DPF and whether Standard Contractual Clauses are in place. Further information on the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce at: https://www.dataprivacyframework.gov/ (in English).

For transfers to other third countries, appropriate safeguards apply, in particular Standard Contractual Clauses, explicit consent, or legally required transfers. Information on third-country transfers and adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General Information on Data Storage and Deletion

We delete personal data we process in accordance with legal requirements as soon as the underlying consents are revoked or no other legal bases for processing apply. This applies to cases where the original purpose of processing no longer applies or the data is no longer required. Exceptions apply where legal obligations or special interests require longer retention or archiving.

In particular, data that must be retained for commercial or tax reasons or whose storage is necessary for legal enforcement or to protect the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that applies specifically to certain processing operations.

If multiple retention periods or deletion deadlines are specified for a set of data, the longest period always applies. Data that is no longer retained for the originally intended purpose but is stored due to legal requirements or other reasons is processed solely for the reasons that justify its retention.

Retention and deletion of data: General retention periods under German law

  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as work instructions and other organizational documents required for their understanding (§ 147(1) no. 1 in conjunction with (3) AO, § 14b(1) UStG, § 257(1) no. 1 in conjunction with (4) HGB).

  • 8 years – Accounting vouchers, such as invoices and expense receipts (§ 147(1) nos. 4 and 4a in conjunction with (3) sentence 1 AO and § 257(1) no. 4 in conjunction with (4) HGB).

  • 6 years – Other business documents: received commercial/business letters, copies of sent commercial/business letters, and other documents relevant for taxation, e.g., wage slips, cost accounting sheets, calculation documents, price labels, payroll documents (unless already accounting vouchers), and cash register tapes (§ 147(1) nos. 2, 3, 5 in conjunction with (3) AO, § 257(1) nos. 2 and 3 in conjunction with (4) HGB).

  • 3 years – Data required to consider potential warranty and damages claims or similar contractual claims and rights and to process related inquiries, based on previous business experience and usual industry practices, are stored for the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

Rights under the GDPR

As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

  • Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6(1) lit. e or f GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.

  • Right to withdraw consent: You have the right to withdraw consent at any time.

  • Right of access: You have the right to obtain confirmation as to whether data concerning you is being processed, and to obtain access to this data as well as further information and a copy of the data in accordance with legal requirements.

  • Right to rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the correction of inaccurate data concerning you.

  • Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request that data concerning you be erased without undue delay, or alternatively to request restriction of processing.

  • Right to data portability: You have the right to receive data concerning you which you have provided to us, in a structured, commonly used, and machine-readable format, or to request transmission to another controller.

  • Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of personal data concerning you violates the GDPR.

Business Services

We process data of our contractual and business partners, e.g., customers and prospective customers (collectively referred to as “contractual partners”), within the scope of contractual and comparable legal relationships and associated measures, and with regard to communication with contractual partners (or pre-contractually), for example to respond to inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, obligations to provide the agreed services, any update obligations, and remedies for warranty and other performance disruptions. In addition, we use the data to safeguard our rights and for administrative tasks associated with these obligations as well as for company organization. Furthermore, we process the data on the basis of our legitimate interests in proper and economically sound business management and in security measures to protect our contractual partners and our business operations against misuse, threats to their data, secrets, information, and rights (e.g., involvement of telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Within the scope of applicable law, we only disclose the data of contractual partners to third parties to the extent necessary for the aforementioned purposes or for fulfilling legal obligations. Contractual partners are informed about further forms of processing, e.g., for marketing purposes, within the scope of this Privacy Policy.

We inform contractual partners before or during data collection which data is required for the aforementioned purposes, e.g., in online forms, by special marking (e.g., colors) and/or symbols (e.g., asterisks), or personally.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e., generally after four years, unless the data is stored in a customer account, e.g., for as long as it must be retained for legal archiving reasons (for tax purposes generally ten years). Data disclosed to us by the contractual partner within the scope of an assignment is deleted in accordance with the requirements and generally after the end of the assignment.

Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or telephone numbers); contract data (e.g., subject matter, term, customer category); usage data (e.g., page views and dwell time, click paths, intensity/frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g., IP addresses, time data, identification numbers, persons involved).

Data subjects: Service recipients and clients; prospective customers; business and contractual partners.

Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; security measures; communication; office and organizational procedures; organizational and administrative procedures; business processes and business management procedures.

Retention and deletion: Deletion in accordance with the section “General Information on Data Storage and Deletion”.

Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR); legal obligation (Art. 6(1) sentence 1 lit. c GDPR); legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further notes on processing operations, procedures, and services

Online shop, order forms, e-commerce and performance: We process customer data to enable the selection, purchase, or ordering of selected products, goods and associated services, as well as payment and provision/delivery or execution. Where necessary for executing an order, we use service providers—especially postal, freight and shipping companies—to deliver or execute orders for our customers. For payment processing, we use banks and payment service providers. The required details are marked as such in the ordering or comparable purchase process and include the information necessary for delivery/provision and billing as well as contact information for inquiries; legal basis: Art. 6(1) sentence 1 lit. b GDPR.

Use of Online Platforms for Offer and Sales Purposes

We offer our services on online platforms operated by other service providers. In this context, the privacy notices of the respective platforms apply in addition to our privacy notices. This applies in particular with regard to payment processing and the methods used on platforms for reach measurement and interest-based marketing.

Types of data processed: Master data; payment data; contact data; contract data; usage data; meta, communication and procedural data (e.g., IP addresses, time data, identification numbers, persons involved).

Data subjects: Service recipients and clients; business and contractual partners.

Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; marketing; business processes and business management procedures.

Retention and deletion: Deletion in accordance with the section “General Information on Data Storage and Deletion”.

Legal bases: Art. 6(1) sentence 1 lit. b GDPR; legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further notes

  • Etsy: Online marketplace for e-commerce; service provider: Etsy, Inc., 55 Washington Street, Suite 712, Brooklyn, NY 11201, USA; legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.etsy.com/de; privacy policy: https://www.etsy.com/de/legal/privacy/?ref=ftr.

  • Shopify: Platform for offering and conducting e-commerce services, including online shops, websites, offers and content, community elements, purchasing and payment processes, customer communication, analytics and marketing; service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.shopify.com/de; privacy policy: https://www.shopify.com/de/legal/datenschutz.

Provision of the Online Offering and Web Hosting

We process users’ data to provide our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the contents and functions of our online services to the user’s browser or device.

Types of data processed: Usage data; meta, communication and procedural data; log data.

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing and legitimate interests: Provision of our online offering and user-friendliness; IT infrastructure; security measures; reach measurement; conversion measurement; server monitoring and error detection.

Retention and deletion: Deletion in accordance with the section “General Information on Data Storage and Deletion”.

Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further notes

  • Provision on rented storage: We use storage space, computing capacity and software from a server provider (“web host”); legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

  • Collection of access data and log files: Access to our online offering is logged in so-called server log files. Server log files may include address and name of retrieved web pages/files, date and time of retrieval, transferred data volumes, success messages, browser type and version, operating system, referrer URL, and usually IP addresses and the requesting provider. The server log files can be used for security purposes (e.g., to prevent server overload, in particular in the case of DDoS attacks) and to ensure server utilization and stability; legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained as evidence is exempt from deletion until final clarification of the incident.

  • DomainFactory: Domainfactory GmbH, c/o WeWork, Neuturmstrasse 5, 80331 Munich, Germany; website: https://www.df.eu; privacy policy: https://www.df.eu/de/datenschutz; data processing agreement: https://www.df.eu/de/support/formulare.

  • Squarespace: Squarespace Ireland Ltd., Le Pole House, Ship Street Great, Dublin 8, Ireland; website: https://www.squarespace.com; privacy policy: https://www.squarespace.com/privacy; DPA: https://www.squarespace.com/dpa; basis for third-country transfers: DPF and Standard Contractual Clauses (https://www.squarespace.com/dpa).

Use of Cookies

The term “cookies” includes functions that store information on users’ end devices and read it from them. Cookies can be used for various purposes, e.g., functionality, security and comfort of online offerings, as well as analysis of visitor flows. We use cookies in accordance with legal regulations. Where required, we obtain users’ consent in advance. If consent is not required, we rely on our legitimate interests. This applies where storing and reading information is essential in order to provide explicitly requested content and functions. This includes storing settings and ensuring functionality and security of our online offering. Consent can be withdrawn at any time. We clearly inform about its scope and which cookies are used.

Notes on legal bases: Whether we process personal data using cookies depends on consent. If consent exists, it is the legal basis. Without consent, we rely on our legitimate interests as described in this section and in the context of the respective services and procedures.

Storage duration

  • Temporary cookies (session cookies): Deleted at the latest after the user leaves the online offering and closes their device (e.g., browser or mobile application).

  • Permanent cookies: Remain stored after the device is closed (e.g., to store login status or preferred content, and for reach measurement). If we do not provide explicit information on type and storage duration, users should assume cookies are permanent and may be stored for up to two years.

General notes on withdrawal and objection (opt-out)

Users can withdraw consent at any time and object to processing in accordance with legal requirements, including via their browser privacy settings.

Types of data processed: Meta, communication and procedural data.

Data subjects: Users.

Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); consent (Art. 6(1) sentence 1 lit. a GDPR).

Further notes

Processing of cookie data on the basis of consent: We use a consent management solution that obtains, documents, manages and enables withdrawal of users’ consent regarding cookies and comparable technologies. Consent declarations are stored to avoid repeated requests and to provide proof of consent. Storage occurs server-side and/or in an opt-in cookie or comparable technologies to assign consent to a specific user or device. If no specific details about providers of consent management services are available, the following applies: consent is stored for up to two years. A pseudonymous user identifier is created and stored together with the time of consent, details on the scope of consent (e.g., cookie categories and/or service providers), and information about browser, system and device; legal basis: consent (Art. 6(1) sentence 1 lit. a GDPR).

Blogs and Publishing Media

We use blogs or comparable means of online communication and publication (“publishing medium”). Readers’ data is processed only to the extent necessary for displaying the publishing medium and for communication between authors and readers or for security reasons. Otherwise, we refer to the information on processing visitors to our publishing medium in these privacy notices.

Types of data processed: Master data; contact data; content data; usage data; meta, communication and procedural data.

Data subjects: Users.

Purposes of processing and legitimate interests: Feedback; provision of our online offering and user-friendliness; security measures; organizational and administrative procedures.

Retention and deletion: As stated in “General Information on Data Storage and Deletion”.

Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further notes

Comments and posts: If users leave comments or other posts, their IP addresses may be stored on the basis of our legitimate interests. This is for our security in case unlawful content is posted (insults, prohibited political propaganda, etc.). In such cases, we may be held liable and are therefore interested in the identity of the author. Furthermore, we reserve the right to process user data for spam detection on the basis of our legitimate interests. On the same legal basis, we reserve the right to store IP addresses during surveys and to use cookies to prevent multiple votes. The personal information provided in comments and posts, any contact or website information, and the content information are stored permanently until users object; legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, telephone or via social media) and within existing user and business relationships, the details provided by the inquiring persons are processed insofar as this is necessary to respond to contact requests and any requested measures.

Types of data processed: Contact data; content data; meta, communication and procedural data.

Data subjects: Communication partners.

Purposes of processing and legitimate interests: Communication; organizational and administrative procedures; feedback; provision of our online offering and user-friendliness.

Retention and deletion: As stated in “General Information on Data Storage and Deletion”.

Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR).

Further notes

Contact form: When contacting us via our contact form, email or other communication channels, we process the personal data provided to respond to and handle the request. This typically includes details such as name, contact information and other information provided that is necessary for proper handling. We use this data exclusively for the stated purpose of contact and communication; legal bases: Art. 6(1) sentence 1 lit. b GDPR and legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Newsletters and Electronic Notifications

We send newsletters, emails and other electronic notifications (“newsletters”) only with the recipients’ consent or on a legal basis. If the contents of the newsletter are specified during registration, these contents are decisive for users’ consent. Usually, providing an email address is sufficient for registration. To provide a personalized service, we may ask for your name for personal addressing in the newsletter or other information if required for newsletter purposes.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them, in order to be able to prove prior consent. Processing of this data is limited to the purpose of potentially defending claims. An individual deletion request is possible at any time, provided the former existence of consent is confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist.

We log the registration process on the basis of our legitimate interests for proof of proper procedure. If we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure delivery system.

Contents:
Information about us, our services, promotions and offers.

Types of data processed: Master data; contact data; meta, communication and procedural data.

Data subjects: Communication partners.

Purposes of processing and legitimate interests: Direct marketing.

Legal basis: Consent (Art. 6(1) sentence 1 lit. a GDPR).

Opt-out: You may cancel the newsletter at any time, i.e., withdraw your consent and/or object to further receipt. You will find an unsubscribe link at the end of each newsletter, or you may use one of the contact options listed above (preferably email).

Advertising Communication via Email, Post, Fax, or Telephone

We process personal data for advertising communication via various channels such as email, telephone, post or fax, in accordance with legal requirements.

Recipients have the right to withdraw consent at any time or to object to advertising communication free of charge via the contact options listed above.

After withdrawal or objection, we store the data required to prove the previous authorization for contact or delivery for up to three years after the end of the year of withdrawal or objection on the basis of our legitimate interests. Processing of this data is limited to the purpose of potentially defending claims. On the basis of the legitimate interest in permanently observing withdrawals/objections, we also store the data required to avoid renewed contact (depending on channel, e.g., email address, telephone number, name).

Types of data processed: Master data; contact data; content data.

Data subjects: Communication partners.

Purposes of processing and legitimate interests: Direct marketing; marketing; sales promotion.

Retention and deletion: As stated in “General Information on Data Storage and Deletion”.

Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Web Analytics, Monitoring and Optimization

Web analytics (also “reach measurement”) is used to evaluate visitor flows to our online offering and may include behavior, interests, or demographic information about visitors such as age or gender in pseudonymous values. Reach analysis enables us to recognize, for example, at what time our online offering or its functions/content are used most frequently, or invite reuse. It also allows us to identify areas that need optimization.

In addition to web analytics, we may use test procedures (e.g., A/B testing) to test and optimize different versions of our online offering or parts thereof.

Unless otherwise stated below, profiles—i.e., data combined into a usage process—may be created for these purposes, and information may be stored in a browser or on an end device and read out. Collected information includes, in particular, visited websites and elements used there, as well as technical information such as the browser used, the computer system used and usage times. If users have agreed to the collection of their location data, location data may also be processed.

In addition, users’ IP addresses are stored. However, we use an IP masking method (pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) is stored as part of web analytics, A/B testing and optimization, but pseudonyms. This means that neither we nor the software providers know the actual identity of users, only the information stored in their profiles for the respective procedures.

Notes on legal bases: Where we ask for consent for the use of third-party providers, consent is the legal basis. Otherwise, user data is processed on the basis of our legitimate interests (interest in efficient, economic and user-friendly services). We also refer to the information on cookies in this Privacy Policy.

Types of data processed: Usage data; meta, communication and procedural data.

Data subjects: Users.

Purposes of processing and legitimate interests: Reach measurement; profiles with user-related information; provision of our online offering and user-friendliness.

Retention and deletion: As stated in “General Information on Data Storage and Deletion”. Cookies may be stored for up to two years.

Security measure: IP masking.

Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further notes

Google Analytics: We use Google Analytics to measure and analyze use of our online offering based on a pseudonymous user identification number. This identification number contains no unique data (such as names or email addresses). It serves to assign analytics information to an end device, to understand which content users accessed within one or more usage processes, which search terms they used, whether they accessed content again, or interacted with our online offering. The time and duration of use, referral sources, and technical aspects of users’ devices and browsers are also stored. Pseudonymous profiles may be created from usage across devices, with cookies being used.

Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides coarse geographic location data by deriving city (and derived latitude/longitude), continent, country, region, and subcontinent from IP address metadata. For EU traffic, IP address data is used exclusively for deriving geolocation data before it is immediately deleted. It is not logged, not accessible, and not used for any further purposes. When Google Analytics collects measurement data, all IP lookups are performed on EU-based servers before the traffic is forwarded for processing to Analytics servers; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://marketingplatform.google.com/intl/de/about/analytics; security measure: IP masking; privacy policy: https://policies.google.com/privacy; data processing terms: https://business.safety.google/adsprocessorterms; basis for third-country transfers: DPF and Standard Contractual Clauses; opt-out: https://tools.google.com/dlpage/gaoptout?hl=de; ad settings: https://myadcenter.google.com/personalizationoff; more information: https://business.safety.google/adsservices.

Online Marketing

We process personal data for online marketing purposes, in particular for marketing ad space or displaying advertising and other content (“content”) based on users’ potential interests and to measure its effectiveness.

For these purposes, so-called user profiles are created and stored in a file (the “cookie”) or similar procedures are used to store the information relevant to displaying content. This may include, for example, viewed content, visited websites, used online networks, as well as communication partners and technical information such as browser, computer system, usage times and functions used. If users have consented to the collection of location data, this may also be processed.

Users’ IP addresses are also stored. However, we use available IP masking procedures to protect users. In general, no clear data (such as email addresses or names) is stored in online marketing procedures, but pseudonyms. This means that neither we nor the providers know the actual identity of users, only the information stored in their profiles.

The information in profiles is typically stored in cookies or similar procedures, which may also be read on other websites using the same marketing procedure, analyzed for content display, supplemented and stored on the marketing provider’s server.

In exceptional cases, clear data may be assigned to profiles—primarily if users are members of a social network whose marketing procedures we use and the network links user profiles with the data mentioned above. Users should note that additional agreements may be made with providers, e.g., by consent during registration.

We generally only receive aggregated information about the success of our ads. However, within so-called conversion measurement we can check which online marketing procedures led to a “conversion,” e.g., conclusion of a contract. Conversion measurement is used solely to analyze the success of our marketing measures.

Unless otherwise stated, cookies may be stored for two years.

Notes on legal bases: Where we ask for consent, consent is the legal basis. Otherwise, processing is based on our legitimate interests (efficient, economic and user-friendly services). We also refer to the cookie information in this Privacy Policy.

Withdrawal and objection: We refer to the privacy notices of the providers and the opt-out options specified there. If no explicit opt-out is specified, users can disable cookies in browser settings, which may limit functions. We also recommend the following opt-out options:

a) Europe: https://www.youronlinechoices.eu
b) Canada: https://youradchoices.ca
c) USA: https://optout.aboutads.info
d) Cross-region: https://optout.aboutads.info

Types of data processed: Usage data; meta, communication and procedural data.

Data subjects: Users.

Purposes of processing and legitimate interests: Reach measurement; tracking; audience building; marketing; profiles with user-related information; conversion measurement.

Retention and deletion: As stated in “General Information on Data Storage and Deletion”. Cookies may be stored up to two years.

Security measure: IP masking.

Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further notes

Affiliate Programs and Affiliate Links

We integrate so-called affiliate links or other references (which may include, e.g., search masks, widgets or discount codes) to offers and services of third-party providers (“affiliate links”). If users follow affiliate links and subsequently use the offers, we may receive a commission or other benefits (“commission”).

To track whether users have used the offers of an affiliate link we use, it is necessary that the respective third-party providers learn that users followed an affiliate link used within our online offering. The assignment of affiliate links to business transactions or other actions (e.g., purchases) serves solely the purpose of commission billing and is removed as soon as it is no longer required for that purpose.

For this assignment, affiliate links may be supplemented with certain values that are part of the link or can be stored elsewhere, e.g., in a cookie. The values may include, in particular, the originating website (referrer), time, an online identifier of the operator of the website hosting the affiliate link, an online identifier of the respective offer, the type of link used, the type of offer, and an online identifier of the user.

Notes on legal bases: If we ask for consent, consent is the legal basis. Otherwise, processing is based on our legitimate interests (efficient, economic and user-friendly services). We also refer to the cookie information in this Privacy Policy.

Types of data processed: Contract data; usage data; meta, communication and procedural data.

Data subjects: Prospective customers; users.

Purposes of processing and legitimate interests: Affiliate tracking.

Retention and deletion: As stated in “General Information on Data Storage and Deletion”.

Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Partner programs

Note:
When you click an affiliate link, you may leave our website. The privacy policies of the respective provider then apply.

Presences in Social Networks (Social Media)

We maintain online presences within social networks and, in this context, process user data in order to communicate with users active there or to provide information about us.

We point out that user data may be processed outside the European Union. This may entail risks for users because, for example, enforcement of user rights could be more difficult.

Furthermore, data of users within social networks is generally processed for market research and advertising purposes. For example, usage profiles can be created based on user behavior and resulting interests. These profiles may in turn be used to place ads within and outside the networks that presumably correspond to users’ interests. Therefore, cookies are usually stored on users’ devices in which usage behavior and interests are stored. In addition, data may be stored in the usage profiles independently of the devices used by users (especially if users are members of the respective platforms and logged in).

For a detailed presentation of the respective processing and opt-out options, we refer to the privacy policies and information of the operators of the respective networks.

Also in the case of information requests and assertion of data subject rights, we point out that these can be asserted most effectively with the providers. Only the providers have access to the user data and can take appropriate measures directly and provide information. If you still need help, you can contact us.

Types of data processed: Contact data; content data; usage data; master data; meta, communication and procedural data.

Data subjects: Users.

Purposes of processing and legitimate interests: Communication; feedback; public relations; provision of our online offering and user-friendliness; IT infrastructure.

Retention and deletion: As stated in “General Information on Data Storage and Deletion”.

Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further notes

Plug-ins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (“third-party providers”). These may include graphics, videos, or maps (“content”).

Integration always requires that the third-party providers process users’ IP addresses, since without the IP address they could not send the content to the user’s browser. The IP address is therefore required for display. We endeavor to use only such content whose provider uses the IP address solely to deliver the content. Third-party providers may also use so-called pixel tags (“web beacons”) for statistical or marketing purposes. Pixel tags can be used to analyze information such as visitor traffic on these pages. Pseudonymous information may also be stored in cookies on users’ devices and may include technical information about browser and operating system, referring websites, visit time, and other information about use of our online offering, and may be linked with information from other sources.

Notes on legal bases: If we ask for consent, consent is the legal basis. Otherwise, processing is based on our legitimate interests (efficient, economic and user-friendly services). We also refer to the cookie information in this Privacy Policy.

Types of data processed: Usage data; meta, communication and procedural data; location data.

Data subjects: Users.

Purposes of processing and legitimate interests: Provision of our online offering and user-friendliness; reach measurement; tracking; audience building; marketing; profiles with user-related information.

Retention and deletion: As stated in “General Information on Data Storage and Deletion”. Cookies may be stored up to two years.

Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further notes

Changes and Updates

We ask you to regularly inform yourself about the content of our Privacy Policy. We adapt the Privacy Policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as changes require an action on your part (e.g., consent) or another individual notification.

If we provide addresses and contact details of companies and organizations in this Privacy Policy, please note that addresses may change over time and we ask you to verify the information before contacting them.

Definitions of Terms

In this section, you will find an overview of the terms used in this Privacy Policy. Where the terms are legally defined, their legal definitions apply. The following explanations are primarily intended to aid understanding.

Affiliate tracking: In affiliate tracking, links used by referring websites to direct users to websites with product or other offers are logged. Operators of the referring websites may receive a commission if users follow such affiliate links and subsequently use the offers (e.g., purchase goods or use services). Providers must be able to track whether users who are interested in certain offers subsequently use them due to the affiliate links. For affiliate links to function, they must be supplemented with certain values that become part of the link or are stored elsewhere, e.g., in a cookie. Values include, in particular, the referrer, time, online identifiers of the website operator and the offer, and tracking-specific values such as ad material ID, partner ID, and categorizations.

Master data: Master data includes essential information needed to identify and manage contractual partners, user accounts, profiles and similar assignments. This may include personal and demographic details such as names, contact information (addresses, telephone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Master data forms the basis for formal interaction by enabling clear assignment and communication.

Content data: Content data includes information generated during creation, editing and publication of content of all kinds, including texts, images, videos, audio files and other multimedia, plus metadata such as tags, descriptions, author information and publication dates.

Contact data: Contact data is essential information enabling communication, including telephone numbers, postal addresses, email addresses, and identifiers for communication channels such as social media handles.

Conversion measurement: Conversion measurement is a method to determine the effectiveness of marketing measures, typically by storing a cookie on users’ devices on the websites where marketing measures are carried out and then retrieving it again on the target website.

Meta, communication and procedural data: These categories describe the context and handling of data. Meta data (“data about data”) includes context and structure information such as file size, creation date, document author, and change history. Communication data records information exchanged via channels such as email, call logs, social network messages and chat histories, including participants, timestamps and transmission paths. Procedural data describes processes and workflows within systems/organizations, including transaction logs and audit logs.

Usage data: Usage data describes how users interact with digital products/services, including page views, dwell time, navigation paths, frequency of use, timestamps, IP addresses, device information and location data—valuable for analyzing behavior and optimizing user experience.

Personal data: “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, identification number, location data, online identifier (e.g., cookie), or one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity.

Profiles with user-related information: Profiling means any automated processing of personal data to evaluate or predict personal aspects relating to a natural person (e.g., interests, behavior), often using cookies and web beacons.

Log data: Log data records events/activities in systems or networks, typically including timestamps, IP addresses, user actions, error messages and other usage/operation details.

Reach measurement: Reach measurement (web analytics) evaluates visitor flows and can include behavior/interest information; often uses pseudonymous cookies and web beacons to recognize returning visitors.

Server monitoring and error detection: Ensures availability and integrity of the online offering and uses data to technically optimize it by processing performance and load metrics; in case of errors, individual requests may be captured to identify and fix causes.

Location data: Location data arises when a mobile device (or other device capable of geolocation) connects to a cell tower, Wi-Fi or similar; it indicates the device’s geographic position.

Tracking: Tracking refers to observing users’ behavior across multiple online offerings; behavior and interest information is stored in cookies or on providers’ servers and can be used to show targeted ads.

Controller: The natural or legal person, public authority, agency or other body which determines the purposes and means of processing personal data.

Processing: Any operation performed on personal data, whether automated or not, such as collection, analysis, storage, disclosure, or deletion.

Contract data: Contract data documents the terms and conditions of agreements (start/end dates, services/products, pricing, payment terms, termination rights, renewal options, etc.) and is essential for fulfilling obligations and enforcing rights.

Payment data: Payment data includes information needed to process payment transactions, such as card numbers, bank details, amounts, transaction details, verification numbers, invoices, payment status, chargebacks, authorizations and fees.

Audience building: Audience building (custom audiences) refers to defining target groups for advertising; “lookalike audiences” are similar target groups. Cookies and web beacons are typically used.

Created with the free Datenschutz-Generator.de by Dr. Thomas Schwenke