Privacy policy

Privacy Policy

(Version: May 2, 2025)

Introduction and Overview
Scope of Application
Legal Bases
Contact Details of the Controller
Data Retention Period
Rights According to the General Data Protection Regulation (GDPR)
Data Transfers to Third Countries
Security of Data Processing
Communication
Data Processing Agreement (DPA)
Cookies
Web Hosting Introduction
Web Analytics Introduction
Email Marketing Introduction
Push Notifications Introduction
Messenger & Communication Introduction
Chatbots Introduction
Social Media Introduction
Blogs and Publishing Media Introduction
Online Marketing Introduction
Cookie Consent Management Platform Introduction
Security & Anti-Spam
Payment Providers Introduction
External Online Platforms Introduction
Audio & Video Introduction
Survey and Feedback Systems Introduction
Review Platforms Introduction
Explanation of Terms Used
Final Remarks

Introduction and Overview

We have drafted this Privacy Policy (as of May 2, 2025) to inform you in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws about which personal data (hereinafter “data”) we, as the controller – and our commissioned data processors (e.g., hosting providers) – process, will process in the future, and the lawful options available to you. The terms used are to be understood as gender-neutral.

In short: We provide you with comprehensive information about the personal data we process about you.

Privacy policies typically sound very technical and use legal jargon. This Privacy Policy, on the other hand, aims to explain the most important aspects as clearly and transparently as possible. Where beneficial to clarity, technical terms are explained in a reader-friendly manner, links to further information are provided, and graphics may be used. We thus communicate in clear and simple language that we only process personal data as part of our business activities if there is a corresponding legal basis. This would not be possible if we were to use the kind of brief, vague, and overly legalistic explanations often found on the internet in relation to data protection. We hope you find the following explanations informative and helpful—and perhaps you'll even learn something new.

If you still have any questions, we kindly ask you to contact the responsible entity listed below or in the legal notice, follow the available links, or consult third-party sources. Our contact details can of course also be found in the legal notice.

Scope of Application

This Privacy Policy applies to all personal data processed by us within the company and to all personal data processed by companies commissioned by us (data processors). By personal data, we mean information as defined in Art. 4 No. 1 GDPR, such as a person’s name, email address, or postal address. The processing of personal data enables us to offer and bill for our services and products—whether online or offline. The scope of this Privacy Policy includes:

all online presences (websites, online shops) operated by us
social media presences and email communication
mobile apps for smartphones and other devices

In short: This Privacy Policy applies to all areas where personal data is processed in a structured manner via the aforementioned channels. Should we enter into legal relationships with you outside of these channels, we will inform you separately where necessary.

Legal Bases

In the following sections of this Privacy Policy, we provide transparent information about the legal principles and regulations—i.e., the legal bases of the General Data Protection Regulation—that permit us to process personal data.

With respect to EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016. You can read this EU General Data Protection Regulation online on EUR-Lex, the access portal to EU law, at:
https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679

We only process your data if at least one of the following conditions is met:

Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose, such as when you submit your information via a contact form.
Contract (Article 6(1)(b) GDPR): To fulfill a contract or pre-contractual obligations with you, we process your data. For example, if we enter into a purchase agreement with you, we need your personal information in advance.
Legal obligation (Article 6(1)(c) GDPR): If we are subject to a legal obligation, we process your data. For instance, we are legally required to retain invoices for accounting purposes, which typically contain personal data.
Legitimate interests (Article 6(1)(f) GDPR): In the case of legitimate interests that do not override your fundamental rights, we reserve the right to process personal data. For example, we need to process certain data to operate our website securely and efficiently. This constitutes a legitimate interest.

Other legal grounds, such as the performance of a task carried out in the public interest or in the exercise of official authority, or the protection of vital interests, generally do not apply to us. If such a legal basis does apply, it will be clearly indicated at the relevant point.

In addition to the EU Regulation, national laws also apply:

In Austria, this is the Federal Act concerning the Protection of Natural Persons in the Processing of Personal Data (Data Protection Act / DSG).
In Germany, the Federal Data Protection Act (BDSG) applies.

If additional regional or national laws apply, we will inform you accordingly in the relevant sections below.

Contact Details of the Controller

If you have any questions regarding data protection or the processing of personal data, please find below the contact details of the controller pursuant to Article 4(7) GDPR:

Stardust Acrylics
Tamara Dogan
Margaretendamm 12
6923 Lauterach
Austria

Email: office@stardustacrylics.com
Phone: +43 676 3905660
Legal Notice: https://stardustacrylics.com/policies/legal-notice

Data Retention Period

As a general principle, we only retain personal data for as long as is strictly necessary to provide our services and products. This means that we delete personal data as soon as the purpose for processing no longer exists. In some cases, we are legally obliged to retain certain data even after the original purpose no longer applies—for example, for bookkeeping purposes.

If you request the deletion of your data or revoke your consent to data processing, the data will be deleted as quickly as possible, provided that there is no legal obligation to retain it.

Where further information on specific retention periods is available, we will inform you about it in the relevant sections below.

Rights According to the General Data Protection Regulation

In accordance with Articles 13 and 14 of the GDPR, we hereby inform you of the following rights that you have to ensure fair and transparent data processing:

Right of access (Art. 15 GDPR): You have the right to know whether we process personal data concerning you. If we do, you have the right to obtain a copy of the data and the following information:
- the purpose of processing;
- the categories of data being processed;
- the recipients of the data and, if the data is transferred to third countries, how the security of the data is ensured;
- the duration for which the data will be stored;
- the existence of the rights to rectification, erasure, or restriction of processing and the right to object to processing;
- the right to lodge a complaint with a supervisory authority;
- the source of the data, if we did not collect it directly from you;
- whether automated decision-making (including profiling) is used.
Right to rectification (Art. 16 GDPR): You have the right to have incorrect data corrected.
Right to erasure (Art. 17 GDPR): Also known as the “right to be forgotten,” this means that you may request the deletion of your data.
Right to restriction of processing (Art. 18 GDPR): This means that we may store your data but not use it for any other purpose.
Right to data portability (Art. 20 GDPR): You have the right to receive your data in a commonly used format upon request.
Right to object (Art. 21 GDPR): You may object to data processing under certain legal bases, which will result in a review of the processing activity.

If your data is processed based on Article 6(1)(e) (public interest, official authority) or Article 6(1)(f) (legitimate interest), you may object to such processing. We will assess whether we can legally comply with your objection as quickly as possible.

If your data is processed for direct marketing purposes, you may object at any time. We will then no longer use your data for direct marketing.

If your data is used for profiling purposes, you may also object at any time. We will then stop using your data for profiling.

Right not to be subject to automated decision-making (Art. 22 GDPR): You may have the right not to be subject to a decision based solely on automated processing, including profiling.
Right to lodge a complaint (Art. 77 GDPR): You can file a complaint with a supervisory authority at any time if you believe that the processing of your personal data violates the GDPR.

In short: You have rights—don’t hesitate to contact our responsible entity listed above if you have any concerns.

If you believe that your data is being processed in violation of data protection law or that your data protection rights have been infringed in any other way, you may file a complaint with the supervisory authority. In Austria, this is the Data Protection Authority, which can be found at: https://www.dsb.gv.at. In Germany, each federal state has its own data protection authority. For more information, you may contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). For our company, the competent local data protection authority is:

Austrian Data Protection Authority
Head: Dr. Matthias Schmidl
Address: Barichgasse 40–42, 1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at

Data Transfers to Third Countries

We only transfer or process data in countries outside the scope of the GDPR (third countries) if you have consented to such processing or if another legal basis exists. This applies particularly when processing is required by law or necessary to fulfill a contractual relationship—and always only insofar as this is legally permitted. Your consent is, in most cases, the primary reason we allow data to be processed in third countries.

The processing of personal data in third countries such as the United States—where many software providers offer services and maintain server locations—can result in personal data being processed and stored in unexpected ways.

We explicitly point out that, according to the opinion of the European Court of Justice, an adequate level of protection for data transfers to the United States currently exists only if a U.S. company that processes personal data of EU citizens in the U.S. is an active participant in the EU-U.S. Data Privacy Framework.
More information can be found at:
https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Data processing by U.S.-based services that are not active participants in the EU-U.S. Data Privacy Framework may lead to personal data being processed and stored in a non-anonymized manner. Furthermore, U.S. government agencies may potentially gain access to specific data. Additionally, data collected may be linked with other services from the same provider if you have an associated user account.

Wherever possible, we attempt to use server locations within the EU.

We will inform you in relevant sections of this Privacy Policy if and when data is transferred to third countries.

Security of Data Processing

To protect personal data, we have implemented both technical and organizational measures. Where feasible, we encrypt or pseudonymize personal data. This makes it as difficult as possible, within our means, for third parties to infer personal information from our data.

Article 25 of the GDPR refers to “data protection by design and by default,” which means that security must always be considered when using both software (e.g., contact forms) and hardware (e.g., server room access). Where applicable, we will explain the specific measures taken.

TLS Encryption via HTTPS

TLS, encryption, and HTTPS sound very technical—and they are. We use HTTPS (Hypertext Transfer Protocol Secure) to transmit data securely over the internet.

This means that all data transmitted from your browser to our web server is encrypted—no one can “listen in.”

By implementing this security layer, we meet the requirement for data protection by design (Article 25(1) GDPR). The use of TLS (Transport Layer Security)—a protocol for secure data transmission on the internet—ensures the confidentiality of sensitive data.

You can recognize this secured connection by the small padlock icon in your browser (usually located to the left of the address bar) and the use of the prefix “https” instead of “http” in our web address.

If you want to learn more about encryption, we recommend searching for “Hypertext Transfer Protocol Secure wiki” on Google.

Communication

Summary:
👥 Data subjects: All persons who communicate with us via telephone, email, or online form
📓 Processed data: e.g., phone number, name, email address, form input. More details depending on the method used
🤝 Purpose: Handling communication with customers, business partners, etc.
📅 Retention period: Duration of the business case and legal obligations
⚖️ Legal bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (contract), Art. 6(1)(f) GDPR (legitimate interests)

If you contact us via telephone, email, or online form, personal data may be processed.

This data is processed for handling your inquiry and the related business transaction. The data is stored for as long as required by the business process or applicable legal obligations.

Data Subjects
All individuals who contact us via the communication methods we provide are affected.

Telephone

If you call us, call data is pseudonymized and stored on the respective end device and by the telecommunications provider. Additionally, information such as name and phone number may be sent via email and stored to respond to your inquiry. The data will be deleted once the business transaction is complete and legal retention periods allow for deletion.

Email

If you communicate with us via email, data may be stored on the respective end device (e.g., computer, laptop, smartphone) and on the email server. The data is deleted once the business transaction is completed and legal retention periods permit deletion.

Online Forms

If you communicate with us via online form, data will be stored on our web server and may be forwarded to our email address. The data will be deleted once the business transaction is complete and legal obligations permit deletion.

Legal Bases

Data is processed on the following legal bases:

Art. 6(1)(a) GDPR (consent): You grant us permission to store your data and use it for the business case.
Art. 6(1)(b) GDPR (contract): Processing is necessary to fulfill a contract with you or a data processor (e.g., telecommunications provider), or for pre-contractual activities such as preparing a quote.
Art. 6(1)(f) GDPR (legitimate interests): We aim to manage customer inquiries and business communication professionally. This requires certain technical infrastructure such as email programs, exchange servers, and telecom providers to ensure efficient communication.

Data Processing Agreement (DPA)

In this section, we explain what a Data Processing Agreement (DPA) is and why it is necessary. Since “Data Processing Agreement” is quite a mouthful, we will also use the abbreviation DPA throughout this text.

Like most businesses, we rely on services from other companies or individuals. This may involve sharing personal data for processing. These partners act as data processors, and we enter into a contract with them—the so-called Data Processing Agreement (DPA).

Most importantly for you to know: your personal data is processed exclusively in accordance with our instructions, and the DPA governs this relationship.

Who Are Data Processors?

As the company and website operator, we are responsible for all personal data we collect from you. In addition to controllers, the GDPR also recognizes data processors. These include any organization or individual that processes personal data on our behalf.

According to the GDPR definition, any natural or legal person, authority, institution, or other body that processes personal data on behalf of the controller is considered a data processor. Data processors may include service providers such as hosting providers, payment processors, newsletter providers, or large corporations such as Google or Microsoft.

Simplified overview of GDPR roles:
Data subject (you as customer or prospect) → Controller (us as business and contracting party) → Processor (e.g., hosting provider)

Content of a Data Processing Agreement

As mentioned above, we have signed DPAs with partners acting as processors. These agreements stipulate that the data processor processes personal data solely in accordance with the GDPR. The agreement must be concluded in writing—electronic signatures are considered valid. Data processing may only commence once the agreement is in place.

A DPA must contain:

Our role as controller and the processor’s binding obligation
Rights and obligations of the controller
Categories of data subjects
Types of personal data
Nature and purpose of the processing
Scope and duration of the processing
Processing location

The DPA also includes all the obligations of the processor. The most important are:

Ensuring data security
Implementing appropriate technical and organizational measures to protect data subjects' rights
Maintaining a record of processing activities
Cooperating with supervisory authorities upon request
Conducting a risk assessment regarding the personal data received
Using sub-processors only with our prior written consent

An example of a DPA template (in German) can be found at:
https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-mustervertrag-auftragsverarbeitung.html

Cookies

Summary:
👥 Data subjects: Visitors of the website
🤝 Purpose: Depends on the specific cookie. More details can be found below or from the software provider that sets the cookie
📓 Processed data: Depends on the specific cookie. More details can be found below or from the software provider that sets the cookie
📅 Retention period: Varies depending on the cookie, from a few hours to several years
⚖️ Legal bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests)

What are cookies?

Our website uses HTTP cookies to store user-specific data.
In the following section, we explain what cookies are and why they are used, to help you better understand this Privacy Policy.

Whenever you browse the internet, you use a browser. Common browsers include Chrome, Safari, Firefox, Internet Explorer, and Microsoft Edge. Most websites store small text files in your browser—these files are called cookies.

One thing is certain: cookies are very useful little helpers. Nearly all websites use cookies. More specifically, we use HTTP cookies, although there are other types for other use cases. HTTP cookies are small files stored by our website on your device. These cookie files are automatically placed in your browser’s cookie folder, essentially the "brain" of your browser. Each cookie consists of a name and a value. Additionally, one or more attributes must be defined when creating a cookie.

Cookies store specific user data, such as language settings or personalized site preferences. When you return to our website, your browser transmits this "user-related" information back to the site. Thanks to cookies, our website knows who you are and presents you with your preferred settings. In some browsers, each cookie has its own file; in others, like Firefox, all cookies are stored in a single file.

Example interaction between a web browser (e.g., Chrome) and a web server:
The browser requests a website and receives a cookie from the server, which the browser then uses again when another page is requested.

There are both first-party cookies and third-party cookies. First-party cookies are set directly by our site; third-party cookies are set by partner websites (e.g., Google Analytics). Each cookie must be evaluated individually, as it stores different data. Cookie lifespans also vary—from a few minutes to several years. Cookies are not software programs and do not contain viruses, Trojans, or other malware. Cookies also cannot access information on your device.

An example of cookie data:

Name: _ga
Value: GA1.2.1326744211.152112989449-9
Purpose: Distinguishing website visitors
Expiration: After 2 years

Minimum browser support requirements for cookies:

At least 4096 bytes per cookie
At least 50 cookies per domain
At least 3000 cookies total

What types of cookies are there?

Which specific cookies we use depends on the services we implement. This will be detailed in the corresponding sections of this Privacy Policy. For now, here is a general overview of the different types of HTTP cookies.

We distinguish between four categories:

Essential cookies
These are required to ensure basic website functionality. For example, these cookies are needed when a user adds a product to the shopping cart, browses other pages, and then checks out later. These cookies ensure the cart isn’t emptied—even if the browser window is closed.
Functional cookies
These collect information about user behavior and potential error messages. They also measure loading times and how the website performs in different browsers.
Performance cookies
These improve user experience by storing preferences like location entries, font sizes, or form data.
Advertising cookies
Also known as targeting cookies, these are used to deliver personalized ads to users. This can be helpful—or annoying.

Usually, when visiting a website for the first time, you will be asked which types of cookies you want to allow. This choice is then saved in a cookie.

For more detailed information, refer to:
https://datatracker.ietf.org/doc/html/rfc6265 – “HTTP State Management Mechanism”, by the Internet Engineering Task Force (IETF).

Purpose of Cookie Processing

The purpose depends on the respective cookie. More details are provided in the following sections or by the software provider that sets the cookie.

What data is processed?

Cookies perform a wide variety of tasks. The specific data stored in cookies cannot be generalized. However, we will inform you throughout this Privacy Policy about the data processed and stored via cookies.

Retention Period of Cookies

The storage period depends on the specific cookie and will be detailed further below. Some cookies are deleted after less than an hour, while others can remain on your device for several years.

You can also influence the storage duration yourself. You can manually delete cookies via your browser at any time (see “Right to Object” below). Furthermore, cookies based on consent will be deleted once you revoke your consent. This does not affect the lawfulness of processing carried out prior to revocation.

Right to Object – How Can I Delete Cookies?

You decide how and whether cookies are used. Regardless of which service or website the cookies come from, you always have the option to delete, deactivate, or selectively allow cookies. For instance, you can block third-party cookies while allowing all others.

To view, change, or delete stored cookies, go to your browser settings:

If you generally do not want any cookies, you can configure your browser to notify you every time a cookie is set. Then you can decide individually whether to allow the cookie. The procedure differs by browser. The easiest way is to search Google with phrases like “delete cookies Chrome” or “disable cookies Chrome” if you use that browser.

Legal Basis

Since 2009, the so-called “Cookie Directives” have required user consent (Article 6(1)(a) GDPR) before cookies may be stored. However, the implementation of this requirement varies across EU countries. In Austria, it was implemented under § 165(3) of the Telecommunications Act (TKG) 2021. In Germany, the directive was not directly transposed into national law but is largely reflected in § 15(3) of the former Telemedia Act (TMG), which was replaced by the Digital Services Act (DDG) in May 2024.

For cookies that are strictly necessary, even without consent, legitimate interests apply (Art. 6(1)(f) GDPR)—mostly of a commercial nature. We aim to provide a smooth and user-friendly website experience, and certain cookies are essential to achieving this.

All non-essential cookies are used only with your explicit consent, based on Art. 6(1)(a) GDPR.

You will find more details on cookie usage in the sections below—specifically where third-party software is involved.

Web Hosting Introduction

Summary:
👥 Data subjects: Visitors of the website
🤝 Purpose: Professional hosting of the website and ensuring secure operation
📓 Processed data: IP address, time of website visit, browser used, and other data. More details can be found below or from the respective hosting provider.
📅 Retention period: Depends on the provider, usually around 2 weeks
⚖️ Legal basis: Art. 6(1)(f) GDPR (legitimate interests)

What is Web Hosting?

When you visit websites today, certain information—including personal data—is automatically generated and stored, including on this website. This data should be processed as minimally as possible and only with justification.

When we refer to our “website,” we mean the entirety of all webpages under a domain, from the homepage to the last subpage (like the one you are viewing now). A domain might be, for example, example.com or myshoptestsite.eu.

To view a website on a computer, tablet, or smartphone, you use a program called a web browser. You’re likely familiar with browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox, or Apple Safari. We use the term “browser” throughout this document.

To display a website, the browser must connect to another computer where the website’s code is stored—the web server. Running a web server is a complex and technical task, which is usually handled by professional service providers—known as hosting providers. These companies offer web hosting and ensure reliable and secure storage of website data.

When your browser (on a desktop, laptop, tablet, or smartphone) connects with the web server and transfers data to and from it, personal data may be processed. On the one hand, your own device stores certain data; on the other, the web server also stores data temporarily to ensure stable and secure operation.

The following diagram (not included here) would typically illustrate the interaction between your browser, the internet, and the hosting provider.

Why Do We Process Personal Data?

The purposes of data processing include:

Professional hosting of the website and maintaining secure operations
Ensuring operational and IT security
Anonymous analysis of access behavior to improve our services and potentially to investigate or pursue legal claims

What Data Is Processed?

Even as you read this, our web server—i.e., the computer on which this website is stored—typically stores the following data automatically:

The full internet address (URL) of the accessed webpage
Browser and browser version (e.g., Chrome 87)
The operating system used (e.g., Windows 10)
The URL of the previously visited page (referrer URL)
(e.g., https://www.example-referrer-site.com/this-is-where-I-came-from/)
The hostname and IP address of the device used to access the site
(e.g., COMPUTERNAME and 194.23.43.121)
Date and time of access

These are stored in files known as web server log files.

How Long Is the Data Stored?

As a rule, this data is stored for two weeks and then automatically deleted. We do not share this data, but we cannot rule out the possibility that it may be viewed by authorities in the case of unlawful conduct.

In short: Your visit is logged by our hosting provider (the company that operates our website on dedicated servers), but we do not share your data without your consent.

Legal Basis

The legal basis for the processing of personal data in the context of web hosting is Art. 6(1)(f) GDPR (legitimate interests). Professional hosting by a provider is essential for securely and efficiently presenting our business online and for taking action, if necessary, against attacks or legal claims.

A data processing agreement (DPA) pursuant to Art. 28 et seq. GDPR is typically in place between us and our hosting provider to ensure data protection compliance and security.

External Web Hosting Provider – Privacy Policy

Below you will find the contact details of our external hosting provider. In addition to the information provided above, you can learn more about data processing in their own privacy policy:

GoDaddy.com, LLC
2155 E GoDaddy Way
Tempe, AZ 85284
USA

More information on how this provider processes personal data can be found in their privacy policy.

Web Analytics Introduction

Summary:
👥 Data subjects: Visitors of the website
🤝 Purpose: Evaluation of visitor information to optimize our online offering
📓 Processed data: Access statistics including access location, device data, duration and time of access, navigation behavior, click behavior, and IP addresses. More details can be found in the respective web analytics tool.
📅 Retention period: Depends on the analytics tool used
⚖️ Legal bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests)

What is Web Analytics?

We use software on our website to analyze the behavior of website visitors—this is commonly referred to as web analytics or website analysis. During this process, data is collected, which is stored, managed, and processed by the respective analytics provider (also known as tracking tool provider). This data is used to create analyses of user behavior on our website, which are then made available to us as the website operator.

Most tools also offer various testing capabilities. For example, we can test which offers or content are most appealing to our visitors. To do this, we may show two different offers for a limited period (known as A/B testing). After the test, we know which product or content our users find more engaging. Such testing processes—and other analytics techniques—may involve the creation of user profiles and the storage of data in cookies.

Why Do We Use Web Analytics?

We have a clear goal for our website: to provide the best online offering in our industry. To achieve this, we want to offer both an appealing product range and a user-friendly experience. With the help of analytics tools, we can better understand visitor behavior and use this insight to optimize our online offering.

For example, we can determine the average age of our visitors, their location, peak visit times, and which content or products are most popular. All of this helps us adapt our site to your needs, interests, and preferences.

What Data Is Processed?

The data stored depends on the specific analytics tools used. However, in general, the following may be collected:

Which content is viewed
Which buttons or links are clicked
When a page is accessed
Which browser is used
Which device (PC, tablet, smartphone, etc.) is used
Which operating system is in use

If you have consented to location tracking, your location data may also be processed by the analytics provider.

Your IP address is also stored. Under the GDPR, IP addresses are considered personal data. However, IP addresses are typically stored in a pseudonymized form (i.e., anonymized or truncated). Direct identifiers such as your name, age, address, or email are not stored for the purposes of analytics, unless explicitly collected and pseudonymized.

The diagram (not shown here) typically illustrates the functionality of client-based tracking via JavaScript, such as in Google Analytics.

How Long Is the Data Stored?

The duration of data storage depends on the provider. Some cookies store data for just a few minutes or until you leave the website; others may remain on your device for several years.

Duration of Processing

We provide details about the retention period below, if further information is available. In general, we process personal data only for as long as is strictly necessary to provide our services and products. If legal obligations (e.g., accounting) apply, data may be retained beyond this period.

Right to Object

You have the right to withdraw your consent for the use of cookies and third-party providers at any time. This can be done via our cookie management tool or other opt-out mechanisms. For example, you can manage cookies directly in your browser to deactivate or delete them.

Legal Basis

The use of web analytics tools is based on your consent, which we obtain via our cookie banner. This consent constitutes the legal basis under Art. 6(1)(a) GDPR for processing personal data in the context of web analytics.

In addition to your consent, we have a legitimate interest in analyzing the behavior of website visitors to improve the technical performance and financial viability of our website. With web analytics, we can detect website errors, identify cyberattacks, and improve efficiency. The legal basis in this case is Art. 6(1)(f) GDPR (legitimate interests). However, we only use these tools if you have provided your consent.

Because cookies are used in connection with analytics tools, we also recommend reading our general privacy policy on cookies. For details on which data is collected and processed, please refer to the privacy policy of each analytics tool.

More detailed information on specific web analytics tools, where applicable, can be found in the following sections.

Google Analytics Privacy Policy

Summary:
👥 Data subjects: Visitors of the website
🤝 Purpose: Analysis of visitor information to optimize our web offering
📓 Processed data: Access statistics including location, device data, session duration and time, navigation and click behavior. More information can be found below.
📅 Retention period: Configurable; Google Analytics 4 stores data for 14 months by default
⚖️ Legal bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests)

What is Google Analytics?

We use the analytics and tracking tool Google Analytics 4 (GA4) by the American company Google Inc. For users in the European Economic Area, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) is responsible for all Google services.

Google Analytics collects data about your behavior on our website. Through the use of technologies such as cookies, device IDs, and login data, you can be recognized across different devices—allowing cross-platform tracking of user activity.

For example, if you click on a link, that action is logged via a cookie and transmitted to Google Analytics. Based on the reports we receive from Google Analytics, we can better tailor our website and services to your preferences.

How Does Google Analytics Work?

Google Analytics is a tracking tool used to analyze website traffic. The analysis is based on a pseudonymous user identification number. This ID does not contain personal information such as your name or address but allows interactions to be associated with a specific device.

GA4 uses an event-based model, meaning it captures detailed user interactions such as page views, clicks, scroll behavior, and conversion events. It also incorporates machine learning capabilities to model missing data and predict user behavior and trends.

To enable Google Analytics, a tracking code is embedded in our website’s source code. When you visit our website, this code logs various events that occur during your session. With the event-based model in GA4, we as website operators can define and track specific events that are relevant to our business—such as submitting a contact form or completing a purchase.

Once you leave our site, the collected data is transmitted to Google’s analytics servers and stored there.

What Reports Does Google Provide?

Google processes the collected data and provides us with the following reports, among others:

Audience reports: Help us better understand who is using our service
Advertising reports: Allow us to analyze and improve our online advertising
Acquisition reports: Show how users arrive at our website
Behavior reports: Reveal how users interact with our website (e.g., click paths, link clicks)
Conversion reports: Show which marketing actions led to desired actions (e.g., purchases, newsletter sign-ups)
Real-time reports: Let us see what’s happening on the website in real time (e.g., current readers)

GA4 also includes the following features:

Event-based tracking: Customizable to track specific user interactions such as video plays, purchases, or newsletter signups
Advanced analytics tools: Help us better understand user segments, behavior paths, and compare audiences
Predictive modeling: Uses machine learning to estimate missing data and forecast future trends
Cross-platform analysis: Enables tracking across websites and apps—provided you have given consent

What Data Does Google Analytics Store?

Google Analytics generates a random, unique ID via a tracking code, which is linked to your browser cookie. This allows Google Analytics to recognize you as a new user and assign you a User ID. Upon return visits, you are identified as a "returning user." All collected data is stored under this pseudonymized user ID—enabling evaluation without directly identifying you.

To analyze our website using Google Analytics, a Property ID is embedded into the tracking code. Data is then collected and stored in the corresponding property. By default, all newly created properties use Google Analytics 4. The storage duration of data depends on the specific property settings.

If you consent to it, your interactions may be tracked across platforms using identifiers such as cookies, app instance IDs, user IDs, or custom event parameters. Interactions include all types of actions on our website. If you use other Google systems (such as a Google Account), data collected via Analytics may be linked to third-party cookies.

Google does not share Analytics data unless we, the website operator, explicitly approve it. Exceptions apply only if required by law.

According to Google, IP addresses are not logged or stored in Google Analytics 4. IP data is used solely for geolocation purposes and deleted immediately afterward. For users in the EU, IP addresses are removed before the data is stored in any data center or server.

While GA4 relies less on cookies than its predecessor (Universal Analytics), it still uses certain specific cookies. Examples include:

Cookie Examples:

Name	Value	Purpose	Expiration
`_ga`	`2.1326744211.152112989449-5`	Used to store a user ID; distinguishes website visitors	After 2 years
`_gid`	`2.1687193234.152112989449-1`	Distinguishes website visitors	After 24 hours
`_gat_gtag_UA_<property-id>`	`1`	Used to throttle request rate; if loaded via Google Tag Manager, appears as `_dc_gtm_<property-id>`	After 1 minute

Note: This list is not exhaustive. Google may adjust cookie usage over time.

Google Analytics 4 also includes privacy-enhancing controls, such as custom data retention settings and more granular tracking options.

What Types of Data Are Collected?

Here’s an overview of the key data types collected through Google Analytics:

Heatmaps: Show which areas on our site you interact with (e.g., clicks, scroll zones)
Session duration: Time spent on the site without exiting (session ends after 20 minutes of inactivity)
Bounce rate: Measures if you left the site after viewing only one page
Account creation & purchases: Data is collected when you create an account or place an order
Geolocation: IP addresses are not stored, but used briefly for location inference before deletion
Technical information: Browser type, ISP, screen resolution
Traffic sources: How you arrived at the site (e.g., from an ad or a referring page)
Additional actions: Contact form submissions, reviews, media playback, sharing via social media, adding items to favorites

This list is not exhaustive. It serves as a general overview of the types of data that may be processed.

Where and How Long Are Data Stored?

Google operates data centers worldwide. You can view an overview here:
https://www.google.com/about/datacenters/locations/?hl=en

Your data is distributed across various physical storage devices. This redundancy improves access speed and protects against manipulation. Each Google data center includes failover systems to minimize downtime in the event of hardware failure or natural disasters.

The retention period for data depends on the property configuration. GA4 offers four retention settings:

2 months – minimum option
14 months – default setting
26 months – extended retention
Indefinite – data remains until manually deleted

There's also an option to reset retention each time you return to the site within the configured period.

When the selected retention period expires, data is deleted once a month. This applies to data linked to cookies, user identifiers, and ad IDs (e.g., DoubleClick cookies). Reports are based on aggregated data and remain available independently of individual user data.

How Can I Delete or Prevent Data Storage?

Under EU data protection law, you have the right to access, update, delete, or restrict your personal data.

To prevent Google Analytics 4 from using your data, you can install the browser add-on for deactivating Google Analytics JavaScript (analytics.js, gtag.js):
https://tools.google.com/dlpage/gaoptout?hl=en

Please note: This add-on only disables data collection by Google Analytics.

If you wish to disable or manage cookies entirely, please refer to the browser-specific instructions in our “Cookies” section.

Legal Basis

The use of Google Analytics is based on your explicit consent, which we obtain via our cookie consent banner. According to Art. 6(1)(a) GDPR, this consent is the legal basis for processing personal data in connection with web analytics tools.

In addition, we have a legitimate interest in analyzing visitor behavior to improve the technical performance and economic efficiency of our website. This constitutes a legal basis under Art. 6(1)(f) GDPR. Nevertheless, we only use Google Analytics if you have provided consent.

Data Transfers to the USA

Google may process data in the United States. Google is an active participant in the EU–U.S. Data Privacy Framework, which governs the lawful and secure transfer of personal data from the EU to the U.S.
More information:
https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Additionally, Google uses Standard Contractual Clauses (SCCs) in accordance with Art. 46(2) and (3) GDPR. These are contractual templates approved by the European Commission that ensure data transferred to third countries (like the USA) is handled in line with EU data protection standards.

By adhering to the SCCs and the EU–U.S. Privacy Framework, Google commits to maintaining GDPR-level protection, even when your data is stored and processed in the U.S.

Details on the SCCs and the EU Commission’s implementing decision:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

Google Ads Data Processing Terms (referencing the SCCs):
https://business.safety.google/adsprocessorterms/

Data Processing Agreement (DPA) with Google Analytics

In accordance with Art. 28 GDPR, we have entered into a Data Processing Agreement (DPA) with Google. This contract is legally required since Google processes personal data on our behalf.

The DPA specifies that Google may only process data received from us in accordance with our instructions and must comply with the GDPR.

You can review Google’s DPA (Ads Data Processing Terms) here:
https://business.safety.google/adsprocessorterms/

🧪 Google Optimize Privacy Policy

We use Google Optimize, a website optimization tool provided by Google Inc. For the EU/EEA, the responsible entity is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google may process your data in the USA and is a certified participant in the EU–U.S. Data Privacy Framework, ensuring the lawful and secure transfer of EU personal data to the U.S.

As with Google Analytics, Standard Contractual Clauses (SCCs) are also used for data transfers. These clauses help guarantee an adequate level of data protection, even when data is stored or processed in third countries like the United States.

EU Commission decision and SCC templates:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

Google Ads Data Processing Terms (also valid for Optimize):
https://business.safety.google/adsprocessorterms/

For more information on how Google processes data through Optimize, refer to the general Google Privacy Policy:
https://policies.google.com/privacy?hl=en

Data Processing Agreement (DPA) for Google Optimize

In accordance with Art. 28 GDPR, we have also signed a Data Processing Agreement with Google for the use of Google Optimize.

As with Analytics, the DPA defines that Google must process the personal data we provide only on our behalf and in accordance with the GDPR.

DPA reference:
https://business.safety.google/adsprocessorterms/

Google Site Kit Privacy Policy

Summary of Google Site Kit Data Processing

👥 Data subjects: Visitors to this website
🤝 Purpose: Analysis of user behavior to optimize the web offering
📓 Processed data: Access statistics including access locations, device data, session duration and time, navigation behavior, click behavior, and IP addresses. More details can be found below and in the Google Analytics section of this privacy policy.
📅 Retention period: Depends on the properties used
⚖️ Legal basis: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate Interests)

What is Google Site Kit?

We have integrated the Google Site Kit plugin by Google Inc. (USA) into our website. For users in the EU and EEA, the responsible entity is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Site Kit allows us to view statistics from various Google services – such as Google Analytics – directly in our WordPress dashboard. These tools may also collect personal data, which we will outline below.

Google Site Kit is a plugin for the WordPress content management system. It aggregates important analytics data from tools like:

Google Analytics
Google Search Console
Google PageSpeed Insights
Google AdSense
Google Optimize
Google Tag Manager

Why do we use Google Site Kit?

As a service provider, our goal is to offer you the best possible user experience on our website. We want to ensure you can quickly and easily find what you're looking for.

Statistical analysis helps us better understand your needs and tailor our offering accordingly.
Google Site Kit simplifies this process by allowing us to view key data from various Google services without logging into each tool individually – all data is displayed in one unified dashboard.

What data is collected by Google Site Kit?

If you consent to tracking tools via our cookie notice (script/banner), services like Google Analytics will store cookies and transfer data about your usage behavior to Google’s servers, where it will be processed and possibly stored – including personal data such as your IP address.

For more detailed information, please see the Google Analytics section of this privacy policy. There you will find specific details about the types of data collected, the cookies used, how long data is retained, and how you can opt out.

The following are example cookies used by Google Analytics that may be set in your browser if you consent to tracking:

Cookie	Value (Example)	Purpose	Expiry
`_ga`	2.1326744211.152112989449-2	Used to distinguish users	2 years
`_gid`	2.1687193234.152112989449-7	Also used to distinguish users	24 hours
`_gat_gtag_UA_<property-id>`	1	Used to throttle request rates	1 minute

Note: This is a non-exhaustive list. Google may update or change cookie usage at any time.

Where and how long are the data stored?

Data collected via Site Kit is stored on Google’s servers, which are located around the world. Many of these are based in the United States, meaning your data may be stored there.

You can view the data center locations here:
https://www.google.com/about/datacenters/locations/?hl=en

Data collected via Google Analytics is typically stored for 26 months, after which it is automatically deleted. This applies to user data associated with cookies, user identifiers, and advertising IDs.

How can I delete or prevent data collection?

You have the right to:

Access your data
Request deletion
Request correction
Restrict processing

You can also disable, delete, or manage cookies in your browser at any time.
For guidance on managing cookies, see the “Cookies” section of this privacy policy.

Legal Basis

The use of Google Site Kit is based on your explicit consent, obtained via our cookie consent banner. This is the legal basis under Art. 6(1)(a) GDPR.

In addition, we have a legitimate interest in analyzing website usage to improve the technical stability and economic efficiency of our service. This constitutes a legal basis under Art. 6(1)(f) GDPR.
However, we will only use Site Kit tools where consent has been provided.

Data Transfers to the USA

Google may process your personal data in the United States. Google is an active participant in the EU–U.S. Data Privacy Framework, which ensures the lawful and secure transfer of personal data from the EU to the USA.
More information:
https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Google also relies on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2) and (3) GDPR. These are legal templates provided by the European Commission to ensure an adequate level of data protection in third countries such as the USA.

Google commits to complying with EU data protection standards, even when storing or processing your data outside the EU.

Commission Decision and SCC Templates:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale =en

Google Ads Data Processing Terms (referencing SCCs):
https://business.safety.google/adsprocessorterms /

Further Information

To learn more about how Google processes your personal data, we recommend reviewing Google’s privacy policy:
https://policies.google.com/privacy?hl=en

Meta Conversions API Privacy Policy

Summary of Meta Conversions API Data Processing

👥 Data subjects: Visitors to this website
🤝 Purpose: Optimization of our service performance
📓 Processed data: Customer data, user behavior, device information, IP address.
📅 Retention period: Until the data is no longer useful for Meta’s purposes
⚖️ Legal basis: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate Interests)

What is the Meta Conversions API?

We use the Meta Conversions API, a server-side event tracking tool, on our website.
The service is provided by Meta Platforms Inc. (USA). For users in the EU, the responsible entity is:
Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

The Meta Conversions API is a feature that allows us to measure the performance of our advertising campaigns in real time. It is an interface (API) that connects our website to Meta and enables the tracking of specific on-site user actions (so-called "conversions").

A conversion might include clicking a button, submitting a form, or making a purchase. Unlike client-side tracking (e.g. Meta Pixel), the Conversions API sends data server-side directly from our server to Meta.
This method is designed to increase tracking precision and reliability and may involve processing of personal data.

Why do we use the Meta Conversions API?

We use the Meta Conversions API to improve the quality of our website, services, and advertising campaigns. Our goal is to offer the best possible experience to our users.

By analyzing user actions (conversions), we can better understand user behavior, tailor content and offerings to individual needs, and improve the relevance and cost-effectiveness of our marketing efforts.

Ultimately, we want our ads to reach people who are genuinely interested in our products — and Meta Conversions API helps us do that with better data quality.

What data is collected by the Meta Conversions API?

Through the Meta Conversions API, we can capture and transmit various types of data to Meta. The specific data collected depends on our implementation and the tracked events.

Common categories include:

Event data (e.g. registrations, purchases, pageviews, button clicks)
User data (e.g. name, email address, physical address, IP address)
Device data (e.g. device type, operating system, browser, screen resolution)
Timestamp of the action/event

Some of this information may constitute personal data, especially when linked with other data sources.

Where and how long is the data stored?

In general, Meta stores data for as long as it is needed for its services and products. Meta operates servers worldwide, and user data may be processed or stored in the United States.

Customer event data is typically deleted within 48 hours after being matched to Meta user data.

How can I delete or block the data collection?

You have the right at any time to:

Access your personal data
Object to data processing
Request deletion
File a complaint with a supervisory authority

You can prevent data collection by refusing consent via our cookie consent tool.
Since Meta Conversions API works server-side, blocking it is not as straightforward as with browser-based tools. However, you may still:

Adjust your browser’s privacy settings
Block known Meta tracking domains and scripts
Review and manage your preferences in your Meta (Facebook/Instagram) account

Legal Basis

If you have given consent to the processing of your data via the Meta Conversions API, this consent serves as the legal basis for data processing in accordance with Art. 6(1)(a) GDPR.

In addition, we rely on our legitimate interest (Art. 6(1)(f) GDPR) to analyze interactions and optimize user experience and ad performance.
Nonetheless, we only activate Meta Conversions API if consent has been obtained.

Data Transfers to the USA

Meta may process your personal data in the United States. Meta is an active participant in the EU–U.S. Data Privacy Framework, which ensures lawful and secure data transfers from the EU to the US.
More details here:
https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Meta also uses Standard Contractual Clauses (SCCs) under Art. 46(2) and (3) GDPR. These are legal templates approved by the European Commission to ensure a sufficient level of data protection in third countries like the USA.

Meta’s commitment to SCCs and GDPR standards means your data is protected even when processed outside the EU.
More on the SCCs:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

Meta’s Data Processing Terms referencing SCCs:
https://www.facebook.com/legal/terms/dataprocessing

Further Information

To learn more about how Meta handles your personal data, please visit their official privacy policy:
https://www.facebook.com/about/privacy

Pinterest Web Analytics Privacy Policy

Summary

👥 Data subjects: Visitors to this website
🤝 Purpose: Analysis of visitor information to optimize our web offering
📓 Processed data: Access statistics, such as user location, device information, access duration and timestamp, navigation and click behavior, and IP addresses. See below and Pinterest’s Privacy Policy for further details.
📅 Retention period: Data is generally stored as long as necessary for Pinterest's business purposes
⚖️ Legal basis: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate Interests)

What is Pinterest Web Analytics?

We use Pinterest Web Analytics, a web analytics tool provided by the social media platform Pinterest. The provider is Pinterest Inc., 808 Brannan Street, San Francisco, CA 94103, USA.
For users in the European Economic Area, the data controller is:
Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.

Pinterest is a visual discovery and social media platform focused on graphic content such as images and infographics. The name "Pinterest" combines the words "pin" and "interest." Users interact with one another by saving and sharing images according to their hobbies and preferences.

Pinterest Web Analytics allows us to analyze the interaction between users visiting our website from Pinterest. It provides insights into how Pinterest users behave on our website.

Why do we use Pinterest Web Analytics?

Pinterest continues to be one of the most popular and widely used platforms, particularly in visual-centric industries like ours. Since our content is highly visual, Pinterest is an ideal platform for us to showcase our brand and reach new audiences.

The analytics tool enables us to gain insights into the performance of our content and optimize it accordingly. The collected data may also be used for advertising purposes, ensuring that our marketing efforts are shown to users who are likely interested in our products or services.

What data is processed by Pinterest Web Analytics?

Pinterest may collect log data, including:

Browser type
IP address
The referring URL (our website address and actions taken on it)
Search history
Date and time of requests
Cookie and device data

If you interact with Pinterest features (e.g., clicking the "Pin" button), cookies may be placed in your browser. These cookies store various data, such as your language preferences and clickstream data, which reflect your behavior on our website.

If you are logged into your Pinterest account while visiting our site, the collected data may be linked to your account and used for targeted advertising.

Here are some examples of cookies that may be set in your browser:

Cookie Name	Purpose	Expiration
`_auth`	Authentication; stores login credentials (e.g., username)	1 year
`_pinterest_referrer`	Stores the URL of the referring website (ours)	End of session
`_pinterest_sess`	Login session cookie; includes user IDs, auth tokens, timestamps	1 year
`_routing_id`	Identifies specific routing targets	1 day
`cm_sub`	Stores user ID and timestamp	1 year
`csrftoken`	Likely used for security (CSRF protection)	1 year
`sessionFunnelEventLogged`	No detailed information available yet	1 day

Where and how long is data stored?

Pinterest stores data as long as it is necessary for the purposes outlined in its business model. Once the data is no longer required (including for legal obligations), it is deleted or anonymized.

Some data may be stored on Pinterest’s servers located in the United States.

Right to Object and Opt-Out Options

You have the right to withdraw your consent to the use of cookies and third-party services such as Pinterest at any time. This can be done through:

Our cookie consent management tool
Browser settings (to disable or delete cookies)
Pinterest-specific opt-out mechanisms

As embedded Pinterest elements may use cookies, we recommend reviewing our Cookie Policy for further information. For specific details on Pinterest’s data handling, refer to their privacy documentation.

Legal Basis

The use of Pinterest Web Analytics is based on your explicit consent (Art. 6(1)(a) GDPR).

Additionally, we rely on legitimate interests (Art. 6(1)(f) GDPR) to optimize our website and communicate effectively with visitors and customers. We only activate Pinterest Web Analytics after you have provided your consent.

Pinterest may also use cookies, which is why we advise you to read both our Cookie Policy and Pinterest’s own Privacy Policy carefully.

Data Transfers to the USA

Pinterest may process your personal data in the United States.
Please note: According to the Court of Justice of the European Union (CJEU), there is currently no adequate level of protection in place for data transfers to the US. This may involve risks to the legality and security of your data.

To safeguard such transfers, Pinterest uses Standard Contractual Clauses (SCCs) in accordance with Art. 46(2) and (3) GDPR. These are approved legal frameworks by the European Commission to ensure that your data remains protected, even when transferred outside the EEA.

You can review the official SCC decision here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

Pinterest's reference to SCCs can be found in its privacy documentation:
https://policy.pinterest.com/en/privacy-policy#section-residents-of-the-eea

Further Information

We aim to provide a clear and comprehensive overview of how Pinterest Web Analytics processes your data. For more details, please visit Pinterest’s official Privacy Policy:
https://policy.pinterest.com/en/privacy-policy

TikTok Pixel Privacy Policy

Summary

👥 Data subjects: Visitors to this website
🤝 Purpose: Optimization of our service offering
📓 Processed data: IP address, browser data, timestamp of your visit, click behavior, and similar usage data. More details can be found below and in TikTok’s privacy policy.
📅 Retention period: Varies depending on configuration
⚖️ Legal basis: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate Interests)

What is TikTok Pixel?

We use the tracking software TikTok Pixel on our website. The service provider is Beijing Bytedance Technology Ltd., based in China. For users within the European Economic Area, the responsible entity is:
TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland.

TikTok is a social media platform particularly popular with younger audiences, where users create, share, and view short video clips.

TikTok Pixel is a piece of JavaScript code embedded in our website to analyze user behavior. It is one of the tools available through TikTok for Business and helps us measure website traffic, monitor advertising performance, optimize campaigns, and attract new customers.

This privacy policy explains which data TikTok processes via its Pixel, how long that data is stored, and how you can manage your data privacy preferences.

Why do we use TikTok Pixel?

We implemented TikTok Pixel to gain better insight into user behavior on our website, identify areas for improvement, and personalize our advertising campaigns on TikTok. Our goal is to ensure that our marketing content is only shown to individuals genuinely interested in our products or services.

What data does TikTok Pixel process?

To enable tracking, a JavaScript code is embedded into our site. The Pixel collects various user behavior data, often using cookies. Some of this data may qualify as personal data, such as your IP address.

TikTok distinguishes between the following categories of information:

Ad/Event Information: Data related to the ad a user clicked on within TikTok.
Timestamps: The exact moment a pixel event occurred (e.g., when a user clicks a button).
IP Address: Used to determine the user's geographic location.
User Agent: Helps identify the device model, operating system, and browser version.
Cookies: Used for performance measurement of ad campaigns and site performance.
Metadata & Click Events: Includes page performance data like load time and button clicks (button names, descriptions, and attributes).

Note: The precise data collected depends heavily on how the TikTok Pixel is configured and cannot be exhaustively listed here.

These data are used to analyze website usage patterns and personalize advertising.

Where and how long is data stored?

TikTok stores your data as long as necessary to provide its platform and services, as outlined in its own Privacy Policy. This includes fulfilling contractual and legal obligations, supporting platform security and stability, and asserting or defending legal claims.

Data may be stored on servers located in the USA or other countries. The exact retention periods are not publicly specified by TikTok and may vary based on legal and internal policy requirements. We will update this policy as soon as further information becomes available.

How can I delete or restrict data storage?

You have the right at any time to:

Access your personal data
Request correction or deletion
Restrict or object to processing
Withdraw your consent for future processing

If you want to manage cookies generally, please refer to our “Cookies” section, where you’ll find instructions for the most common browsers.

If you have a TikTok account, you can also adjust your privacy settings directly within the TikTok app, including what data may be shared.

Legal Basis

If you have given consent for TikTok Pixel to process and store your data, your consent serves as the legal basis (Art. 6(1)(a) GDPR). Additionally, we rely on legitimate interests (Art. 6(1)(f) GDPR), such as effective communication with you or other customers and business partners.

TikTok Pixel may also set cookies in your browser to store data. We therefore recommend reading both our Cookie Policy and TikTok’s Privacy Policy.

Data Transfers to the USA and Third Countries

TikTok processes personal data in the United States and other third countries.
Important: According to the Court of Justice of the European Union (CJEU), the United States currently does not provide an adequate level of data protection. This may pose risks to the legality and security of your data.

To address this, TikTok uses Standard Contractual Clauses (SCCs) under Art. 46(2) and (3) GDPR. These are template contracts approved by the European Commission to ensure that data transferred outside the EEA still benefits from adequate protection.

You can view the EU Commission’s implementing decision and SCC templates here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

Further Information

To learn more about how TikTok processes your data and how the TikTok Pixel works, please visit:
https://www.tiktok.com/legal/page/eea/privacy-policy/en
https://www.tiktok.com/en/

Email Marketing – Introduction

Summary

👥 Data subjects: Newsletter subscribers
🤝 Purpose: Direct marketing via email, notification of system-relevant events
📓 Processed data: Data entered during registration, at minimum your email address. More details can be found in the privacy policy of the respective email marketing service provider.
📅 Retention period: For the duration of the subscription
⚖️ Legal basis: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate Interests)

What is Email Marketing?

To keep you up to date, we use email marketing. If you have given us consent to receive our emails or newsletters, we process and store relevant data about you. Email marketing is a subcategory of online marketing in which news or information about a company, its products, or services is sent by email to a specific group of interested individuals.

If you would like to participate in our email marketing (usually via a newsletter), you typically only need to provide your email address using a subscription form. In some cases, we may also ask for your name and salutation so we can address you personally.

We use a double opt-in process to subscribe to newsletters. After registering, you’ll receive an email asking you to confirm your subscription. This ensures that the email address genuinely belongs to you and prevents misuse. We or the service provider we use document this process to meet legal requirements – typically by storing the time of subscription, confirmation, IP address, and any changes to your data.

Why do we use email marketing?

We aim to maintain direct contact with you and keep you informed about relevant updates to our business. Email marketing – often referred to as "newsletters" – is a vital part of our online communication strategy. Provided you have given your consent or it is legally permitted, we send newsletters, system-related emails, and promotional updates. Our goal is to send valuable and relevant content about our brand, products, and exclusive offers.

If we use third-party providers with professional email delivery tools, we do so to ensure fast, reliable, and secure delivery. The core purpose of our email marketing is to keep you informed and support our business objectives.

What data is processed?

By subscribing to our newsletter, you confirm your inclusion in our email list. In addition to your IP address and email address, other optional data like your salutation, name, address, or telephone number may also be stored — but only if you voluntarily provide them. The essential data is required for service delivery; without it, you cannot participate in our newsletter.

Other information, such as device data or your website preferences, may also be stored. Your consent is logged to prove legal compliance.

Retention period

If you unsubscribe, we may retain your email address for up to three years based on our legitimate interests, solely to demonstrate past consent if legally required. These data will only be processed if we must defend legal claims.

You may, however, request deletion at any time, and if you explicitly confirm your previous consent, we will remove your data. If you permanently withdraw consent, we may place your email on a blocklist to prevent future communications. As long as you are subscribed, your email remains stored.

Right to object

You may unsubscribe from our newsletter at any time by clicking the unsubscribe link included in every email. If the link is unavailable, please contact us directly via email, and we will promptly remove you from our list.

Legal basis

Our newsletters are sent based on your explicit consent (Art. 6(1)(a) GDPR). We may also send marketing messages to customers under the legitimate interest clause (Art. 6(1)(f) GDPR), provided you haven’t objected to the use of your email address for direct marketing.

For detailed information on third-party email marketing tools and their data processing practices, see the respective sections further down.

Push Notifications – Introduction

Summary

👥 Data subjects: Subscribers to push notifications
🤝 Purpose: Real-time notifications about important or promotional content
📓 Processed data: Data entered during registration, usually also location data. More details can be found in the provider-specific privacy policy.
📅 Retention period: As long as required to provide the service
⚖️ Legal basis: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(b) GDPR (Contract)

What are push notifications?

Our website uses push notification services to keep you informed in real time. With your consent, we can send you brief messages via software tools, even when you’re not actively visiting our site. These notifications can appear on smartphones, tablets, or desktop devices. In doing so, we may also collect data about your device location and usage behavior.

Why do we use push notifications?

We use push notifications to deliver contractually relevant updates and for marketing purposes. These messages allow us to inform you immediately about new features, products, or important changes in our business. Learning about user preferences helps us continuously improve our offerings.

What data is processed?

Before receiving push notifications, you must explicitly opt in. Data collected during this process is logged to prove consent. This includes storing a device token or push token in your browser, and typically, your location data as well.

For performance optimization, we also evaluate how recipients interact with these notifications (e.g. opening, clicking), which allows us to adjust our messaging strategy. While these data may technically be linked to individuals, we analyze them only in aggregated form for optimization purposes.

Retention period

The retention period depends on the specific push service provider. Personal data is processed only as long as necessary for delivering the service. When cookies are involved, storage duration varies widely – from session-based to several years. Please refer to each provider’s privacy notice for specific information.

Legal basis

Push notifications may be necessary to fulfill contractual obligations (Art. 6(1)(b) GDPR), such as technical updates. In all other cases, messages are only sent with your explicit consent (Art. 6(1)(a) GDPR).

Location-based delivery and analytic evaluation of user interaction also require your prior consent. You can withdraw your consent or adjust preferences at any time in your device or browser settings.

Messenger & Communication Introduction

Messenger & Communication Privacy Policy Summary
👥 Data subjects: Website visitors
🤝 Purpose: Handling inquiries and general communication between you and us
📓 Processed data: Data such as name, address, email address, phone number, general content data, and, if applicable, IP address
More details can be found in the respective tools used.
📅 Storage duration: Depends on the messaging and communication functions used
⚖️ Legal bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests), Art. 6(1)(b) GDPR (contractual or pre-contractual obligations)

What are messenger and communication functions?
We offer various options on our website (such as messenger and chat functions, online or contact forms, email, telephone) to communicate with us. In the process, your data is also processed and stored to the extent necessary to respond to your inquiry and any subsequent actions.

In addition to conventional communication methods such as email, contact forms, or telephone, we also use chat or messenger services. The currently most widely used messenger service is WhatsApp, though there are many different providers that offer messenger functions specifically for websites. If content is end-to-end encrypted, this will be noted either in the individual privacy texts or the respective provider’s privacy policy. End-to-end encryption means that even the provider cannot view the content of a message. However, device information, location settings, and other technical data may still be processed and stored.

Why do we use messenger and communication functions?
Communication with you is very important to us. After all, we want to talk to you and answer all questions about our services as best as possible. Effective communication is a key part of our service. With practical messenger and communication functions, you can choose the method you prefer at any time. In exceptional cases, we may not be able to answer specific inquiries via chat or messenger—for example, if they concern internal contractual matters. In such cases, we recommend using alternative communication channels such as email or phone.

As a rule, we assume responsibility under data protection law, even if we use services from a social media platform. However, the European Court of Justice has ruled that in certain cases, the operator of the platform may be jointly responsible with us under Art. 26 GDPR. Where this is the case, we will explicitly point it out and operate based on a corresponding agreement. The core content of such an agreement will be stated below for the respective platform.

Please note that when using our integrated elements, data may also be processed outside the European Union, as many providers—such as Facebook Messenger or WhatsApp—are U.S. companies. This could limit your ability to assert your rights in relation to your personal data.

What data is processed?
The specific data stored and processed depends on the provider of the messenger and communication functions. Generally, this includes data such as name, address, phone number, email address, and content data (e.g., any information entered into a contact form). Device information and IP addresses are usually also stored. Data collected through a messenger or communication function is also stored on the provider’s servers.

If you would like to know exactly what data is stored and processed by each provider and how you can object to the data processing, we recommend reading the provider’s respective privacy policy thoroughly.

How long is the data stored?
How long the data is processed and stored depends primarily on the tools used. More information about the data processing of specific tools can be found below. The providers’ privacy policies usually specify exactly what data is stored and for how long. In general, personal data is only processed as long as it is necessary to provide our services. If data is stored in cookies, the storage duration can vary greatly. Some cookies may be deleted immediately after leaving a website, while others may be stored for several years. Therefore, you should examine each cookie individually to understand its storage. Most provider privacy policies also contain informative details about specific cookies.

Right to object
You have the right at any time to withdraw your consent to the use of cookies or third-party services. This can be done either via our cookie management tool or other opt-out features. You can also prevent data collection by cookies by managing, disabling, or deleting cookies in your browser. For more information, refer to the section on consent.

Since cookies may be used in connection with messenger and communication functions, we also recommend reviewing our general cookie policy. To find out exactly what data is stored and processed about you, please consult the respective tool’s privacy policy.

Legal basis
If you have consented to the processing and storage of your data via integrated messenger and communication functions, this consent serves as the legal basis for data processing (Art. 6(1)(a) GDPR). We process your inquiry and manage your data in the context of contractual or pre-contractual relationships to fulfill our obligations or respond to inquiries. The legal basis for this is Art. 6(1)(b) GDPR. Furthermore, your data may also be processed based on our legitimate interest in fast and efficient communication with you or other customers and business partners (Art. 6(1)(f) GDPR).

Facebook Messenger Privacy Policy

Facebook Messenger Privacy Policy Summary
👥 Data subjects: Facebook Messenger users
🤝 Purpose: Communication
📓 Processed data: Contact details, messages, media
📅 Storage duration: Until account deletion
⚖️ Legal bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests)

What is Facebook Messenger?
We use the instant messaging service Facebook Messenger on our website. The service is provided by the American company Meta Platforms Inc. For the European region, the responsible entity is Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).

Facebook Messenger is a chat messaging feature developed by Facebook that allows you to send and receive text messages, voice and video calls, photos, and other media files with other Facebook users.
When you use Facebook Messenger, personal data is also processed on Facebook's servers. This includes your phone number, chat messages, photos, videos, profile data, your address, or your location.

Why do we use Facebook Messenger?
We want to stay in touch with you, and the best way to do so is through messaging services such as Facebook Messenger. It functions reliably and remains one of the most well-known social media platforms. The service is convenient and allows for easy and quick communication with you.

What data is processed by Facebook Messenger?
Various types of data, including personal data, may be processed through the use of Facebook Messenger. This includes account information such as your phone number, profile picture, username, or other data you provided to Facebook during account setup and management. Facebook also stores the content of your messages (text, photos, videos, voice messages).
Metadata such as the date and time a message was sent or received is also stored. Facebook Messenger may access your contacts to facilitate communication. Technical data such as device type, operating system, or location information is also collected and stored.

How long and where is the data stored?
Facebook stores data for as long as it is needed for its services and products. Facebook operates servers worldwide to store its data. However, customer data—once matched with internal user data—is deleted within 48 hours.

How can I delete my data or prevent data storage?
You have the right to access, rectify, delete, or restrict the processing of your personal data at any time. You may also withdraw your consent to the processing of your data at any time. Final deletion of your data only occurs once your Facebook account is deleted.

To permanently delete your Facebook account, follow these steps:

Log in to Facebook and click on “Settings” in the top-right corner.
Then click on “Your Facebook Information” in the left-hand column.
Click on “Deactivation and Deletion.”
Select “Delete Account” and then click “Continue to Account Deletion.”
Enter your password, click “Continue,” and then “Delete Account.”

Legal basis
The use of Facebook Messenger is based on your consent, which we collect via our consent tool (popup). This consent constitutes the legal basis for processing personal data under Art. 6(1)(a) GDPR.

In addition to your consent, we also have a legitimate interest in improving our service. Facebook Messenger allows us to communicate with you more quickly and efficiently. The legal basis for this is Art. 6(1)(f) GDPR. We use Facebook Messenger only if you have given your consent.

Facebook may also process your data in the USA. Facebook (Meta Platforms) is an active participant in the EU-US Data Privacy Framework, which governs the lawful and secure transfer of personal data from EU citizens to the USA. More information is available at:
https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Additionally, Facebook uses Standard Contractual Clauses (SCCs) under Art. 46(2) and (3) GDPR. These model clauses are issued by the European Commission and ensure that your data continues to meet EU data protection standards, even when transferred to third countries (such as the USA).
Through the EU-US Data Privacy Framework and the SCCs, Facebook is obliged to maintain the EU level of data protection, even when processing your data in the USA.
The relevant decision and model clauses can be found here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

Facebook’s Data Processing Terms referencing the SCCs are available at:
https://www.facebook.com/legal/terms/dataprocessing

For more details on the data processed by Facebook, please refer to their privacy policy at:
https://www.facebook.com/about/privacy

Data Processing Agreement (DPA) – Facebook Messenger
In accordance with Article 28 of the General Data Protection Regulation (GDPR), we have concluded a Data Processing Agreement (DPA) with Facebook. You can read more about what a DPA entails and what must be included in such an agreement in our general section “Data Processing Agreement (DPA).”

This contract is legally required because Facebook processes personal data on our behalf. The agreement ensures that Facebook may only process data received from us in accordance with our instructions and in compliance with the GDPR.
The DPA is available at:
https://www.facebook.com/legal/terms/dataprocessing

WhatsApp Privacy Policy

WhatsApp Privacy Policy Summary
👥 Data subjects: WhatsApp users
🤝 Purpose: Communication
📓 Processed data: Contact information, messages, media
📅 Storage duration: After account deletion or deactivation
⚖️ Legal bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests)

What is WhatsApp?
We use the instant messaging service WhatsApp on our website. The service provider is the American company WhatsApp Inc., a subsidiary of Meta Platforms Inc. (formerly Facebook Inc. until October 2021). For the European region, the responsible entity is WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

You likely already know WhatsApp, as it is one of the most widely used messaging services globally. Over the years, WhatsApp and its parent company Meta Platforms have faced criticism regarding their handling of personal data—particularly the merging of WhatsApp user data with Facebook. In response, Facebook adjusted its terms of service in 2021 and stated that, as of now (2021), no personal WhatsApp data is shared with Facebook.

Nevertheless, a variety of personal data is processed by WhatsApp when you use the service and have consented to data processing. This includes your phone number, chat messages, sent photos and videos, and profile data. Photos and videos are reportedly stored only temporarily, and all messages and calls are end-to-end encrypted. This means Meta should not be able to access their content. WhatsApp also stores information from your contact list and additional metadata.

Why do we use WhatsApp?
We aim to stay in touch with you, and WhatsApp is the most efficient way to do so. The service functions reliably and remains the most widely used instant messaging tool worldwide. It allows for quick and straightforward communication with you.

What data is processed by WhatsApp?
Various types of data, including personal data, may be processed through the use of WhatsApp. This includes account information such as your phone number, profile picture, username, or other data you provide when creating and managing your WhatsApp account. WhatsApp also stores the content of your messages (text, photos, videos, voice messages), as well as metadata such as the date and time messages were sent or received.

In addition, WhatsApp stores the phone numbers of the parties involved in communication, along with technical data such as device type, operating system, and location data.

How long and where is the data stored?
Data is stored by WhatsApp for as long as necessary to fulfill its legitimate purposes and legal obligations. The exact storage duration depends on the type of data. Messages are generally stored only in encrypted form during transmission and are deleted from WhatsApp’s servers once delivered. Longer-term storage typically occurs only on your own device.
When media files are sent, WhatsApp temporarily stores them (in encrypted form) for up to 30 days to optimize delivery. Account data is stored as long as your WhatsApp account remains active. If you delete or deactivate your account, the data is usually deleted as well.

Data collected by WhatsApp is stored on servers located around the world. To operate web-based WhatsApp services, data is also collected via cookies.

How can I delete my data or prevent data storage?
You have the right to access, correct, delete, or restrict the processing of your personal data at any time. You may also withdraw your consent to data processing at any time.

If you do not wish for cookies to be set or data to be stored while using the desktop version of WhatsApp, you can prevent cookie placement in your browser. You can manage, disable, or delete cookies via your browser settings. The exact procedure varies depending on the browser you use. Further details can be found in our section on cookies.

Legal basis
The use of WhatsApp is based on your consent, which we collect via our consent tool (popup). This consent constitutes the legal basis for the processing of personal data pursuant to Art. 6(1)(a) GDPR.

In addition to consent, we have a legitimate interest in improving our communication offering. WhatsApp allows us to respond to your inquiries faster, share important information, and enhance our service. The legal basis for this is Art. 6(1)(f) GDPR (legitimate interests).
Nevertheless, we only use WhatsApp if you have provided your consent.

WhatsApp may also process your data in the United States. WhatsApp is an active participant in the EU-US Data Privacy Framework, which governs the lawful and secure transfer of personal data from EU citizens to the USA. More information is available at:
https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Additionally, WhatsApp uses what are known as Standard Contractual Clauses (SCCs) pursuant to Art. 46(2) and (3) GDPR. These model clauses, issued by the European Commission, ensure that your data continues to meet European data protection standards when transferred to third countries (e.g., the USA).
Through the EU-US Data Privacy Framework and the SCCs, WhatsApp commits to upholding the European level of data protection, even when your data is stored, processed, or managed in the United States. These clauses are based on an implementing decision by the EU Commission, which can be accessed here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

Information regarding WhatsApp's data transfer policies, including compliance with the SCCs, can be found at:
https://www.whatsapp.com/legal/business-data-transfer-addendum-20210927

We hope this information has provided a clear overview of how WhatsApp uses and processes your data. For further details, please refer to WhatsApp’s Privacy Policy:
https://www.whatsapp.com/privacy

Chatbots Privacy Policy

Chatbots Privacy Policy Summary
👥 Data subjects: Website visitors
🤝 Purpose: Contact inquiries and general communication between you and us
📓 Processed data: Data such as name, address, email address, telephone number, general content data, and possibly IP address
For more details, please refer to the specific tools used.
📅 Storage duration: Depends on the chatbots and chat functions used
⚖️ Legal bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests), Art. 6(1)(b) GDPR (contractual or pre-contractual obligations)

What are chatbots?
You may communicate with us via chatbots or similar chat functions. A chat allows for near real-time written or spoken communication. A chatbot is a software application designed to answer your questions and possibly provide you with updates. The use of such communication tools may involve the processing and storage of personal data.

Why do we use chatbots?
We place high value on communication with you. We want to answer your questions and provide the best possible service. A well-functioning communication system is an essential part of our service. Chatbots offer the advantage of answering frequently asked questions automatically, saving us time while still providing you with comprehensive and helpful responses. If the chatbot cannot assist you, you can always contact us personally.

Please note that by using these integrated features, your data may be processed outside the European Union, since many providers are American companies. As a result, you may not be able to exercise or enforce your data protection rights as easily.

What data is processed?
You may also use chat services on other websites or platforms. In this case, your user ID may be stored on the servers of those websites. We may also be informed of which user used the chat function at which time. The content of the conversation is also stored. The exact data collected depends on the respective service provider. Typically, this includes contact information such as email address or phone number, IP address, and various usage data.

If you have consented to the use of the chat function, your consent and any registration may also be recorded and stored. We do this to be able to prove your consent if legally required.

The provider of the chat platform may also receive technical information about your device and may determine the time you are actively using the chat. Depending on your device settings, data such as your approximate location may also be collected. This data may be used to optimize the service and improve security, as well as to support personalized marketing and advertising activities.

If you have agreed to receive messages from a chatbot, you may of course revoke this consent at any time. The chatbot will typically offer instructions on how to unsubscribe. Once unsubscribed, your data will be removed from the recipient directory.

We use the above-mentioned data to personalize communication, respond to your inquiries, and send relevant content. It also helps us improve the chatbot services in general.

How long is the data stored?
The duration of data processing and storage depends primarily on the tools used. More details can be found in the privacy policies of the respective providers. In general, personal data is processed only as long as necessary to provide our services. If data is stored in cookies, the storage period may vary. Some cookies are deleted immediately when the website is exited, while others may remain for several years. For more precise information, we recommend reviewing each cookie in detail.

Most providers’ privacy policies include detailed information on cookies and their retention periods.

Right to object
You may revoke your consent to the use of cookies and third-party tools at any time. This can be done via our cookie management tool or by using other opt-out functions. You can also prevent data collection through cookies by adjusting the cookie settings in your browser, where you can manage, disable, or delete them.

As chat services may use cookies, we also recommend reviewing our general Cookie Policy. To find out exactly what data is stored and processed, please read the privacy policies of the individual tools.

Legal basis
We ask for your consent to process your data via a pop-up window before activating chat services. If you consent, this constitutes the legal basis for data processing (Art. 6(1)(a) GDPR).

We also process your inquiries and manage your data within the context of contractual or pre-contractual obligations, based on Art. 6(1)(b) GDPR.
Furthermore, we rely on our legitimate interest (Art. 6(1)(f) GDPR) in ensuring quick and efficient communication with you or other customers and business partners.
Nonetheless, we only use these tools if you have provided your explicit consent.

Social Media Privacy Policy

Social Media Privacy Policy Summary
👥 Data subjects: Website visitors
🤝 Purpose: Showcasing and optimizing our services, communication with visitors and potential customers, advertising
📓 Processed data: Data such as phone numbers, email addresses, contact details, user behavior data, device information, and IP address
For more details, please refer to the specific social media tools used.
📅 Storage duration: Depends on the respective social media platform
⚖️ Legal bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests)

What is social media?
In addition to our website, we are also active on various social media platforms. User data may be processed in this context to enable us to target users who show interest in our services via these platforms. Furthermore, elements of a social media platform may be embedded directly into our website—for example, when you click a social button that redirects you to our social media profile. Social media refers to websites and apps that allow registered users to create content, share it publicly or in groups, and network with other members.

Why do we use social media?
Social media platforms have long been central to online communication and networking. Through our social media presence, we aim to showcase our products and services to interested users. The social media elements embedded in our website help you easily access our social media content without complications.

The primary purpose of storing and processing data through your use of social media channels is to conduct web analytics. These analytics allow us to develop more targeted, personalized marketing and advertising strategies. Based on your behavior on a social media platform, data may be analyzed to infer your interests and create user profiles. This allows platforms to present you with tailored advertisements. Cookies are typically used for this purpose to track your online activity.

We generally assume that we remain the data controller, even when using services from a social media platform. However, the European Court of Justice has ruled that in some cases, the platform operator and we may be jointly responsible within the meaning of Art. 26 GDPR. If this applies, we explicitly inform you and operate on the basis of an appropriate joint controller agreement. Key elements of this agreement are outlined in the section for the relevant platform.

Please be aware that when using social media platforms or any embedded elements, your personal data may also be processed outside the European Union, as many providers (such as Facebook or Twitter) are U.S.-based companies. Consequently, you may not be able to easily exercise your rights under EU data protection laws.

What data is processed?
The data that is stored and processed depends on the respective social media provider. Generally, this includes information such as phone numbers, email addresses, data you enter into contact forms, usage data (e.g., which buttons you click, who you follow or like, when you visit which pages), device information, and your IP address. Most of this data is stored using cookies. If you are logged into your account on the social media platform, this data may be linked to your personal profile.

All data collected via a social media platform is stored on the provider’s servers. Therefore, only the respective provider has access to the data and can provide appropriate information or make changes.

If you want to know exactly what data is stored and how it is processed, we recommend carefully reading the privacy policy of the respective provider. For questions about data storage or to exercise your rights, please contact the provider directly.

Duration of data processing
Where available, we provide specific details about the duration of data processing below. For example, Facebook stores data as long as it is required for their own purposes. However, customer data that has been matched with user data is generally deleted within two days. In general, we only process personal data for as long as necessary to provide our services. In cases where we are legally obligated to retain data (e.g., accounting), the retention period may be extended accordingly.

Right to object
You have the right to withdraw your consent to the use of cookies or third-party services such as embedded social media elements at any time. This can be done via our cookie management tool or other opt-out features. You can also manage, disable, or delete cookies directly through your browser settings.

As social media tools may use cookies, we also recommend reviewing our general Cookie Policy. To learn exactly what data is stored and processed, please refer to the privacy policies of the respective tools.

Legal basis
If you have consented to the processing and storage of your data by integrated social media elements, this consent serves as the legal basis for data processing (Art. 6(1)(a) GDPR). Additionally, data may be processed on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in effective communication with users, customers, or business partners. However, we only use these tools with your explicit consent.

Most social media platforms also place cookies in your browser to store data. For this reason, we recommend reading both our Cookie Policy and the respective provider’s privacy or cookie policy carefully.

You can find specific information about individual social media platforms, where applicable, in the following sections.

Facebook Privacy Policy

Facebook Privacy Policy Summary
👥 Data Subjects: Website visitors
🤝 Purpose: Optimization of our service
📓 Processed data: Customer data, user behavior data, device information, and IP address. More details can be found in the full privacy policy below.
🗓 Storage period: until data is no longer useful for Facebook's purposes
⚖️ Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)

What are Facebook Tools?

We use selected Facebook tools on our website. Facebook is a social media network operated by Meta Platforms Inc., or for the European region, Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. With these tools, we can provide you and others interested in our products and services with the best possible offering.

When data is collected and forwarded via our embedded Facebook elements or our Facebook page (fan page), both we and Facebook Ireland Ltd. are responsible. Facebook is solely responsible for further data processing. Our shared responsibilities are defined in a publicly accessible agreement available at https://www.facebook.com/legal/controller_addendum. This agreement requires us to inform you clearly about the use of Facebook tools on our site and ensure they are integrated in compliance with data protection law. Facebook is responsible for the data security of its own products. If you direct data protection questions to us, we are obliged to forward them to Facebook.

Below is an overview of the various Facebook tools, the data they collect, and how you can delete this data.

Facebook offers various products known as "Facebook Business Tools," but for simplicity, we refer to them as Facebook Tools. These include:

Facebook Pixel
Social plugins (e.g., the "Like" or "Share" button)
Facebook Login
Account Kit
APIs
SDKs
Platform integrations
Plugins
Code
Specifications
Documentation
Technologies and services

These tools extend Facebook's services and allow the company to receive information about user activities outside of Facebook.

Why do we use Facebook Tools on our website?

We aim to show our products and services only to those genuinely interested. With Facebook Ads, we can reach precisely these individuals. To show targeted ads, Facebook requires data about users' preferences and interests. This data is collected via user behavior (and contact data) on our website. Facebook then uses this information to display relevant ads for our products/services.

Data about your behavior on our website is termed "event data" by Facebook. This is used for analytics and reporting services, allowing Facebook to generate campaign reports for us and provide insight into how you use our services. With this data, we can enhance your user experience. For instance, social plugins allow you to share our content directly on Facebook.

What data is stored by Facebook tools?

Using Facebook tools can transmit personal data (customer data) to Facebook. Depending on the tool, this data may include name, address, phone number, and IP address.

Facebook uses this data to match it with data it already has on you (if you are a Facebook user). Before the data is sent, it is hashed (converted into a string for encryption purposes).

In addition to contact data, "event data" (such as pages visited or purchases made) is transmitted. Facebook does not share this data with third parties unless explicitly permitted or legally required. Event data may be combined with contact data to provide more personalized advertising. After this matching process, contact data is deleted.

To optimize ad delivery, Facebook uses event data only when combined with other data it has. It also uses this data for security, development, and research. Much of this data is transmitted via cookies—small text files used to store data in browsers. The number and type of cookies vary depending on the tools used and whether you are logged into Facebook. More on Facebook cookies is available at https://www.facebook.com/policies/cookies.

How long and where is the data stored?

Facebook stores data as long as it is needed for its services. Facebook has servers worldwide. Customer data matched with Facebook user data is deleted within 48 hours.

How can I delete or prevent data storage?

Under the GDPR, you have the right to access, correct, transfer, and delete your data.

To fully delete your Facebook data, you must delete your Facebook account:

Click "Settings" on Facebook.
Click "Your Facebook Information."
Select "Deactivation and Deletion."
Choose "Delete Account," then click "Continue to Account Deletion."
Enter your password, click "Continue," and then "Delete Account."

Data collection via cookies (e.g., social plugins) can also be managed in your browser. You can disable, delete, or manage cookies, depending on your browser. For detailed instructions, see the "Cookies" section.

Legal Basis

If you have consented to data processing via embedded Facebook tools, your consent constitutes the legal basis (Art. 6 para. 1 lit. a GDPR). Data is also processed based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in efficient communication with you and other stakeholders. We use these tools only with your consent.

Facebook also processes data in the USA and is a participant in the EU-US Data Privacy Framework, ensuring compliant data transfer from the EU to the USA. More at: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_e n

Facebook uses Standard Contractual Clauses (Art. 46 para. 2 and 3 GDPR) to comply with EU data protection when processing data in third countries. Details here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

Facebook's data processing terms referencing the SCCs: https://www.facebook.com/legal/terms/dataprocessing

For more details on how Facebook processes your data, see: https://www.facebook.com/privacy/policy/

Facebook Login Privacy Policy

We have integrated the convenient Facebook Login feature on our website. This allows you to log in to our site using your Facebook account, without having to create a separate user account. If you choose to register via Facebook Login, you will be redirected to the social media network Facebook, where the login process is carried out using your Facebook credentials. This login process results in the storage and transfer of your data and user behavior to Facebook.

To store this data, Facebook uses various cookies. Below we list the most important cookies that may be set in your browser when you use Facebook Login on our site:

Name: fr
Value: 0jieyh4c2GnlufEJ9..Bde09j…1.0.Bde09j
Purpose: This cookie ensures that the social plugin on our website functions optimally.
Expiration: After 3 months

Name: datr
Value: 4Jh7XUA2112989449SEmPsSfzCOO4JFFl
Purpose: Facebook sets the “datr” cookie when a web browser accesses facebook.com. It helps identify login activity and protect users.
Expiration: After 2 years

Name: _js_datr
Value: deleted
Purpose: This session cookie is set by Facebook for tracking purposes, even if you do not have a Facebook account or are logged out.
Expiration: End of session

Note: The cookies listed above are only a small selection of cookies Facebook may use. Other cookies include, for example, _fbp, sb, or wd. A full list is not possible, as Facebook uses a variety of cookies and applies them dynamically.

The Facebook Login offers you a quick and easy registration process, while also enabling us to share data with Facebook. This allows us to tailor our offers and marketing campaigns better to your interests and preferences. Data we receive from Facebook in this context includes public information such as:

Your Facebook name
Your profile picture
An associated email address
Friend lists
Button activity (e.g. “Like” button)
Date of birth
Language
Place of residence

In return, we provide Facebook with information about your activities on our website, such as the device you used, which subpages you visited, or which products you purchased.

By using Facebook Login, you consent to the processing of your data. You can revoke this agreement at any time. For more information on data processing by Facebook, please refer to the Facebook Privacy Policy at:
https://www.facebook.com/privacy/policy/

If you are logged into Facebook, you can manage your ad preferences at:
https://www.facebook.com/adpreferences/advertisers/?entry_product=ad_settings_screen

Facebook Social Plugins Privacy Policy

Our website integrates social plugins from Meta Platforms Inc. You can recognize these buttons by the classic Facebook logo, such as the “Like” button (a hand with a raised thumb) or a clearly labeled “Facebook Plugin” indicator. A social plugin is a small element of Facebook embedded into our site. Each plugin has its own function. The most commonly used functions are the familiar “Like” and “Share” buttons.

Facebook offers the following social plugins:

“Save” button
“Like”, Share, Send, and Quote
Page plugin
Comments
Messenger plugin
Embedded posts and video players
Group plugin

You can find detailed information about how each plugin is used at:
https://developers.facebook.com/docs/plugins

We use these plugins to improve your user experience on our site and to enable Facebook to optimize our advertising.

If you have a Facebook account or have previously visited https://www.facebook.com/, Facebook has already placed at least one cookie in your browser. In this case, your browser sends information to Facebook via this cookie whenever you visit our site or interact with a plugin (e.g., clicking the “Like” button).

According to Facebook, the information collected is deleted or anonymized within 90 days. This data includes your IP address, the website you visited, the date and time, and information about your browser.

To prevent Facebook from collecting extensive data during your visit to our website and linking it to your Facebook account, you must log out of Facebook before visiting our site.

If you are not logged into Facebook or do not have an account, less information will be transmitted to Facebook due to fewer cookies. However, data such as your IP address or the pages you visit may still be transmitted. Please note that we do not have full knowledge of the exact content of the data transmitted. We strive to inform you to the best of our current knowledge. For more details on how Facebook uses your data, please refer to Facebook’s data policy at:
https://www.facebook.com/about/privacy/update

At minimum, the following cookies are set in your browser when visiting a website with Facebook social plugins:

Name: dpr
Value: not specified
Purpose: Ensures proper functionality of the social plugins on our website.
Expiration: End of session

Name: fr
Value: 0jieyh4112989449c2GnlufEJ9..Bde09j…1.0.Bde09j
Purpose: Necessary for the proper functioning of the plugins.
Expiration: After 3 months

Note: These cookies were set during testing, even if you are not a Facebook member.

If you are logged into Facebook, you can manage your ad preferences at:
https://www.facebook.com/adpreferences/advertisers/

If you are not a Facebook user, you can manage your usage-based online advertising at:
https://www.youronlinechoices.com/de/praferenzmanagement/?tid=112989449

For more information on Facebook’s data protection practices, please refer to the company’s privacy policies at:
https://www.facebook.com/privacy/policy/

Instagram Privacy Policy

Instagram Privacy Policy Summary
👥 Data Subjects: Website visitors
🤝 Purpose: Optimization of our services
📓 Processed Data: Data such as user behavior, information about your device, and your IP address.
More details can be found in the privacy policy below.
📅 Storage Duration: Until Instagram no longer needs the data for their purposes
⚖️ Legal Bases: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)

What is Instagram?

We have integrated functions from Instagram on our website. Instagram is a social media platform operated by Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025, USA. Since 2012, Instagram has been a subsidiary of Meta Platforms Inc. and is part of the Facebook product family. Embedding Instagram content on our website is known as embedding. This allows us to display content such as buttons, photos, or videos from Instagram directly on our website. When you access pages of our web presence that have an Instagram function integrated, data is transmitted, stored, and processed by Instagram. Instagram uses the same systems and technologies as Facebook. Therefore, your data is processed across all Facebook companies.

Below, we provide a deeper insight into why Instagram collects data, what data is collected, and how you can control the data processing as much as possible. Since Instagram is part of Meta Platforms Inc., we refer both to Instagram's policies and to Meta's general privacy policies.

Instagram is one of the most popular social media networks worldwide. It combines the features of a blog with the audiovisual capabilities of platforms such as YouTube or Vimeo. You can upload photos and short videos to "Insta" (as users commonly call it), edit them with various filters, and share them across other social networks. Even if you’re not actively posting, you can still follow interesting users.

Why do we use Instagram on our website?

Instagram has seen massive growth in recent years. Naturally, we’ve responded to this boom. We want you to feel as comfortable as possible on our website. Therefore, it’s important for us to present our content in a diverse and engaging way. Embedded Instagram functions allow us to enrich our content with helpful, entertaining, or inspiring content from the Instagram world. Since Instagram is a Facebook subsidiary, the collected data may also support personalized advertising on Facebook. This helps ensure our ads reach only people who are genuinely interested in our products or services.

Instagram also uses the collected data for measurement and analysis. We receive aggregated statistics that provide us with more insight into your preferences and interests. These reports do not personally identify you.

What data does Instagram store?

When you visit one of our pages that has Instagram functions (such as embedded images or plugins), your browser automatically connects to Instagram’s servers. Data is then transmitted, stored, and processed by Instagram, regardless of whether you have an Instagram account or not. This includes information about our website, your device, purchases made, ads viewed, and how you interact with our offerings. The date and time of your interaction with Instagram are also stored. If you have an Instagram account and are logged in, Instagram stores significantly more data about you.

Facebook (and by extension Instagram) differentiates between customer data and event data. Customer data includes, for example, name, address, phone number, and IP address. This data is only transmitted to Instagram after it has been "hashed," meaning the data is converted into a character string to encrypt it. Event data includes information about your user behavior. Contact data can also be combined with event data. The collected contact data is compared with data already available to Instagram.

The data is transmitted to Facebook via small text files (cookies), which are typically set in your browser. Depending on the Instagram functions used and whether you have an Instagram account, the amount of stored data may vary.

We assume that Instagram processes data in the same way Facebook does. This means that if you have an Instagram account or have visited www.instagram.com, at least one cookie has already been set. If this is the case, your browser sends information to Instagram via this cookie whenever you interact with an Instagram function. These data are deleted or anonymized after 90 days (following synchronization).

Despite extensive research into Instagram’s data processing, we cannot state exactly which data Instagram collects and stores.

Below are examples of cookies that are set in your browser when interacting with an Instagram function (e.g., button or image). We assume in this test that you do not have an Instagram account. If you are logged in, significantly more cookies are set.

Example Cookies Used:

Name: csrftoken
Value: “”
Purpose: Likely set for security purposes to prevent cross-site request forgery. Exact purpose unknown.
Expiration: After one year
Name: mid
Value: “”
Purpose: Used by Instagram to optimize services and offerings in and outside Instagram. Sets a unique user ID.
Expiration: End of session
Name: fbsr_112989449124024
Value: Not specified
Purpose: Stores the login request for Instagram app users.
Expiration: End of session
Name: rur
Value: ATN
Purpose: Ensures proper functionality on Instagram.
Expiration: End of session
Name: urlgen
Value: “{"194.96.75.33": 1901}:1iEtYv:Y833k2_UjKvXgYe112989449”
Purpose: Used for Instagram’s marketing purposes.
Expiration: End of session

Note: We cannot guarantee completeness here. The specific cookies set depend on the embedded functions and your Instagram usage.

How long and where are the data stored?

Instagram shares information with other Facebook companies, external partners, and with users globally. Data processing is carried out in accordance with their data policy. Your data is distributed across Facebook’s global servers for security purposes. Most of these servers are located in the USA.

How can I delete or prevent data storage?

Under the GDPR, you have the right to access, transfer, correct, and delete your data. You can manage your data via your Instagram settings. To permanently delete your Instagram data, you must delete your Instagram account.

To delete your Instagram account:
Open the Instagram app. On your profile page, scroll down and click “Help Center.” You’ll be redirected to the company’s website. Click “Managing Your Account” then “Delete Your Account.”

If you delete your account, Instagram will delete posts such as photos and status updates. Information shared by others about you is not part of your account and will not be deleted.

As previously mentioned, Instagram primarily stores your data via cookies. These can be managed, disabled, or deleted in your browser. Refer to our “Cookies” section for relevant instructions based on your browser.

You can also configure your browser to notify you each time a cookie is about to be set, allowing you to decide individually whether to accept it.

Legal Basis

If you have consented to the processing and storage of your data via embedded social media elements, your consent serves as the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). Your data is also stored and processed based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and efficient communication with you and other customers or business partners. We only use embedded social media elements with your consent. Most social media platforms also set cookies in your browser to store data. Therefore, we recommend reading our general privacy policy on cookies and reviewing the respective provider’s privacy or cookie policies.

Instagram also processes data in the USA. Instagram/Meta Platforms is an active participant in the EU-U.S. Data Privacy Framework, which regulates the secure transfer of personal data from EU citizens to the U.S. Learn more at:
https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Additionally, Instagram uses Standard Contractual Clauses (SCCs) in accordance with Art. 46 para. 2 and 3 GDPR. These clauses, provided by the European Commission, ensure compliance with European data protection standards when data is transferred and stored in third countries (e.g., the USA). By participating in the EU-U.S. Data Privacy Framework and using SCCs, Instagram commits to maintaining European data protection standards even when data is processed in the USA. These clauses are based on an EU Commission implementing decision, which can be accessed here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

We have done our best to explain the key aspects of Instagram’s data processing. For more details, please consult Instagram’s data policy at:
https://privacycenter.instagram.com/policy/

Pinterest Privacy Policy

Pinterest Privacy Policy Summary
👥 Data subjects: Visitors of the website
🤝 Purpose: Optimization of our services
📓 Processed data: Data such as user behavior, device information, IP address, and search terms. More details can be found below in the full privacy policy.
🗓 Storage duration: Until Pinterest no longer requires the data for its purposes
⚖️ Legal basis: Art. 6 para. 1 lit. a GDPR (Consent), Art. 6 para. 1 lit. f GDPR (Legitimate Interests)

What is Pinterest?

We use buttons and widgets from the Pinterest social media network, operated by Pinterest Inc., 808 Brannan Street, San Francisco, CA 94103, USA. For users in Europe, Pinterest Europe Ltd. (Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland) is responsible for data protection matters.

Pinterest is a social network specializing in graphic content and photographs. The name is a blend of the words "pin" and "interest." Users can exchange ideas about hobbies and interests and view profiles with shared images, either publicly or within defined groups.

Why do we use Pinterest?

Pinterest has been a popular and widely-used social media platform for many years. It is particularly suitable for our industry because it focuses on beautiful and engaging visuals. Therefore, we also maintain a presence on Pinterest and aim to showcase our content beyond our website. The collected data may also be used for advertising purposes, allowing us to display promotional messages specifically to people who are interested in our products or services.

What data is processed by Pinterest?

Log data may be stored, including browser information, IP address, the URL of our website and user interactions (e.g., clicking the Save or Pin button), search history, date and time of the request, and cookie and device data. When you interact with embedded Pinterest features, cookies storing various data may be placed in your browser. Typically, log data, language settings, and clickstream data are stored in cookies. Clickstream data refers to your behavior while visiting our website.

If you have a Pinterest account and are logged in, data collected via our site may be linked to your account and used for advertising purposes. When interacting with our embedded Pinterest features, you are usually redirected to Pinterest. Below are examples of cookies that may be set in your browser.

Name: _auth Value: 0 Purpose: Used for authentication. May store values like your username. Expiration: After one year

Name: _pinterest_referrer Value: 1 Purpose: Stores that you came to Pinterest via our website. The URL is saved. Expiration: End of session

Name: _pinterest_sess Value: ...9HRHZvVE0rQlUxdG89 Purpose: Stores login information such as user IDs, authentication tokens, and timestamps. Expiration: After one year

Name: _routing_id Value: "8d850ddd-4fb8-499c-961c-77efae9d4065112989449-8" Purpose: Identifies a specific routing target. Expiration: After one day

Name: cm_sub Value: denied Purpose: Stores a user ID and timestamp. Expiration: After one year

Name: csrftoken Value: 9e49145c82a93d34fd933b0fd8446165112989449-1 Purpose: Likely used for security to prevent request forgery. Expiration: After one year

Name: sessionFunnelEventLogged Value: 1 Purpose: Specific function not clearly known. Expiration: After one day

How long and where are the data stored?

Pinterest generally stores collected data until it is no longer needed for its business purposes. Once data retention is no longer necessary, e.g., to meet legal requirements, the data is either deleted or anonymized to ensure that no personal identification is possible. Data may also be stored on servers in the United States.

Right to object

You have the right to revoke your consent to the use of cookies and third-party providers like Pinterest at any time. This can be done through our cookie management tool or other opt-out features. You can also prevent data collection by managing, deactivating, or deleting cookies in your browser.

Since Pinterest elements may use cookies, we also recommend reading our general privacy policy on cookies. To know exactly what data is collected and processed, please refer to the privacy policies of the respective tools.

Legal basis

If you have given your consent for the processing and storage of your data via embedded social media elements, this consent constitutes the legal basis for the data processing (Art. 6 para. 1 lit. a GDPR). Your data may also be processed based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and effective communication with you or other customers and business partners. However, we only use this tool if you have given your consent. Most social media platforms also place cookies in your browser to store data. Therefore, we recommend reading our cookie policy and the provider’s privacy or cookie policy.

Pinterest processes your data in the U.S., among other locations. We point out that the European Court of Justice currently considers the data transfer to the U.S. to lack an adequate level of protection. This can involve risks for the legality and security of data processing.

To ensure data protection when transferring data to countries outside the EU, including the U.S., Pinterest uses Standard Contractual Clauses (Art. 46 para. 2 and 3 GDPR). These EU Commission-approved templates ensure that your data meet European data protection standards even when stored or processed outside the EU. You can find the EU Commission’s decision and the clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

For more information on Pinterest’s use of Standard Contractual Clauses, visit: https://policy.pinterest.com/en/privacy-policy#section-residents-of-the-eea

We have aimed to present you with the most important information about Pinterest’s data processing. You can find more details in Pinterest’s privacy policy at: https://policy.pinterest.com/en/privacy-policy

TikTok Privacy Policy

TikTok Privacy Policy Summary
👥 Data subjects: Website visitors
🤝 Purpose: Optimization of our service
📓 Processed data: May include your IP address, browser data, date and time of page access More details can be found below in this privacy policy.
📅 Storage period: Varies depending on settings
⚖️ Legal bases: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)

What is TikTok?

We use TikTok integration on our website. The service provider is the Chinese company Beijing Bytedance Technology Ltd. For the European region, the responsible company is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. TikTok is a popular social media platform, especially among young people, where users can create, share, and view short video clips.

In this privacy policy, we inform you about the data processed by TikTok, how long the data is stored, and how you can manage your privacy settings.

Why do we use TikTok on our website?

We have embedded TikTok on our website so that you can watch and, if desired, interact with TikTok videos. TikTok is known for fun and creative content, and of course we want to provide you with such content. After all, we ourselves enjoy watching a creative TikTok video from time to time.

What data is processed by TikTok?

When you view or interact with TikTok videos on our website, TikTok may collect information about your usage behavior and your device. This may include data such as your IP address, browser type, operating system, location, and other technical information. TikTok may also use cookies and similar technologies to collect information and personalize your user experience.

If you have a TikTok account, additional information may be collected and processed, such as user details (e.g., name, date of birth, or email address) and data about your communication with other TikTok users.

How long and where is the data stored?

The storage period and locations of the data collected by TikTok can vary significantly and are subject to TikTok’s privacy policies. TikTok may also store data on servers in the USA and other countries. The storage duration is usually based on legal requirements and internal guidelines. However, we have not yet been able to determine the exact storage period. As soon as we have more information, we will inform you accordingly.

How can I delete my data or prevent data storage?

If you have a TikTok account, you can manage your privacy settings directly on TikTok. For example, you can specify in your TikTok account settings which information may be shared. You can also manage and disable cookies in your web browser to limit data collection — even without having a TikTok account. Please note that doing so may affect the functionality of our website and your TikTok experience.

Legal basis

If you have consented to the processing and storage of your data by TikTok, this consent serves as the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). Your data may also be stored and processed based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and effective communication with you or other customers and business partners. We only use these embedded social media elements if you have given your consent. TikTok may also set cookies in your browser to store data. Therefore, we recommend reading our full cookie privacy policy and the privacy policy or cookie guidelines of the respective provider.

TikTok also processes your data in the USA. We point out that, according to the Court of Justice of the European Union, there is currently no adequate level of protection for data transfers to the USA. This may pose various risks regarding the legality and security of data processing.

As a basis for data processing for recipients located in third countries (outside the European Union, Iceland, Liechtenstein, Norway, particularly the USA) or for data transfers to such countries, TikTok uses so-called Standard Contractual Clauses (= Art. 46 para. 2 and 3 GDPR). Standard Contractual Clauses (SCCs) are templates provided by the EU Commission to ensure that your data continues to comply with European data protection standards when transferred and stored in third countries (such as the USA). By using these clauses, TikTok undertakes to comply with the EU level of data protection when processing your relevant data — even if stored, processed, and managed in the USA. These clauses are based on an implementing decision by the EU Commission. You can find the decision and the corresponding clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

Further information on TikTok’s privacy policy and data collection practices can be found on TikTok’s website at https://www.tiktok.com/legal/page/eea/privacy-policy/en and in TikTok’s general information at https://www.tiktok.com/en/.

Blogs and Publication Media

Blogs and Publication Media Privacy Policy Summary
👥 Data Subjects: Website visitors
🤝 Purpose: Presentation and optimization of our service as well as communication between website visitors, security measures, and administration
📓 Processed Data: Data such as contact information, IP address, and published content. More details can be found in the privacy policies of the specific tools used.
📅 Storage Duration: Depends on the tools used
⚖️ Legal Bases: Art. 6 (1) lit. a GDPR (Consent), Art. 6 (1) lit. f GDPR (Legitimate Interests), Art. 6 (1) sentence 1 lit. b GDPR (Contract)

What are Blogs and Publication Media?

We use blogs or other communication media on our website, which allow us to communicate with you and for you to communicate with us. In doing so, data may be stored and processed by us. This may be necessary to present content properly, to enable communication, and to enhance security. In this privacy text, we generally explain which data may be processed. Exact details depend on the tools and functions used. The respective providers' privacy policies contain precise information on data processing.

Why do we use Blogs and Publication Media?

Our main goal with this website is to offer interesting and engaging content. At the same time, your opinions and input are important to us. Therefore, we strive to create interactive exchanges between you and us. Various blogging and publication tools help us achieve this. For example, you can comment on our content, respond to other comments, or in some cases, even publish your own posts.

What data is processed?

The specific data processed depends on the communication functions we use. Typically, IP address, username, and published content are stored. This is primarily to ensure security, prevent spam, and take action against illegal content. Cookies may also be used for data storage—these are small text files saved in your browser with relevant information. Details on collected and stored data can be found in our tool-specific sections and the respective providers' privacy policies.

Duration of Data Processing

We will inform you further below about the duration of data processing if we have more information available. For example, comment and post functions typically store data until you revoke the data storage. In general, personal data is stored only as long as absolutely necessary to provide our services.

Right to Object

You have the right and the ability to revoke your consent to the use of cookies or third-party communication tools at any time. This can be done via our cookie management tool or through other opt-out features. You can also manage, deactivate, or delete cookies in your browser to prevent data collection.

Since publication media may use cookies, we also recommend reading our general privacy policy on cookies. To learn exactly what data is stored and processed, please review the privacy policies of the specific tools.

Legal Basis

We primarily use communication tools on the basis of our legitimate interest (Art. 6 (1) lit. f GDPR) in fast and effective communication with you, our customers, business partners, or visitors. Where the use relates to the performance or initiation of a contractual relationship, Art. 6 (1) sentence 1 lit. b GDPR applies as a legal basis.

Certain processes, especially the use of cookies and comment or messaging functions, require your consent. If and insofar as you have consented to the processing and storage of your data by embedded publication media, this consent serves as the legal basis for the data processing (Art. 6 (1) lit. a GDPR). Most communication functions we use set cookies in your browser to store data. We therefore recommend you read our cookie policy and the privacy statements or cookie policies of the respective service providers.

Information on specific tools can be found in the following sections, if available.

Online Marketing Privacy Policy Introduction

Online Marketing Privacy Policy Summary
👥 Data subjects: Visitors to the website
🤝 Purpose: Analysis of visitor information to optimize our web offering
📓 Processed data: Access statistics including access locations, device data, duration and time of access, navigation behavior, click behavior, and IP addresses. Personal data such as name or email address may also be processed. More details can be found in the respective online marketing tools used.
📅 Storage period: Depending on the online marketing tools used
⚖️ Legal basis: Art. 6 (1)(a) GDPR (Consent), Art. 6 (1)(f) GDPR (Legitimate Interests)

What is Online Marketing?

Online marketing refers to all measures conducted online to achieve marketing objectives such as increasing brand awareness or driving sales. Our online marketing activities aim to attract attention to our website. These activities typically include online advertising, content marketing, and search engine optimization. To deploy online marketing efficiently and effectively, personal data may also be stored and processed. These data help us display content to users who are genuinely interested and to measure the success of our campaigns.

Why do we use online marketing tools?

We want to reach every person interested in our offerings. Without targeted marketing measures, this is not feasible. Various tools help us implement our online marketing activities and provide valuable data-driven improvement suggestions. These tools help us tailor our campaigns to our target audience and ultimately optimize our services.

Which data are processed?

To make online marketing work and to measure campaign success, user profiles are created, and data are stored in cookies (small text files). These data allow us to serve ads, display content on our site based on user preferences, and gather insights. For example, the cookies store information such as which pages you visited on our site, how long you stayed, which links or buttons you clicked, or from which site you arrived. Technical data such as IP address, browser type, device used, and access time may also be stored. If you've consented to location tracking, your location may also be processed.

Your IP address is stored in a pseudonymized format (i.e., shortened). Personally identifiable data such as your name, address, or email address are only stored in a pseudonymized form as part of advertising or online marketing. We cannot identify you personally from the stored information.

Cookies may also be used across other websites using the same marketing tools. Data may be stored on the servers of those third-party providers.

In exceptional cases, identifiable personal data may be stored in the user profiles, e.g., if you are a member of a social media platform that links existing data with your user profile.

We only receive aggregated, non-personally identifiable information from these providers, helping us understand which campaigns lead users to our site and which products/services are being purchased.

Duration of Data Processing

We inform you about the duration of processing below if we have further details. In general, we store personal data only as long as necessary to provide our services. Cookie data may persist for different periods — some expire after a session, while others may remain for years. For specific cookie durations, refer to the respective provider’s privacy policy.

Right to Object

You have the right to revoke your consent for the use of cookies or third-party tools at any time. This can be done via our cookie management tool or via opt-out functions. You can also manage cookies directly in your browser settings. The legality of data processing prior to your withdrawal remains unaffected.

Since cookies are typically used with online marketing tools, we recommend reviewing our general privacy policy on cookies and checking the specific provider's privacy statements.

Legal Basis

If you have provided consent for the use of third-party tools, this serves as the legal basis for the processing of your data (Art. 6 (1)(a) GDPR). In addition, we have a legitimate interest in anonymously measuring marketing effectiveness to optimize our offering (Art. 6 (1)(f) GDPR). However, we only use such tools when you have explicitly provided consent.

Information about specific online marketing tools is provided in the sections below.

Facebook Custom Audiences Privacy Policy

We use Facebook Custom Audiences, a server-side event tracking tool. Service provider: Meta Platforms Inc. EU representative: Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).

Facebook also processes your data in the USA and participates in the EU-U.S. Data Privacy Framework, ensuring lawful and secure transfer of EU personal data. More info:
https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Facebook also uses Standard Contractual Clauses (Art. 46 (2) and (3) GDPR). These are EU-approved templates ensuring adequate protection when data are transferred to third countries like the U.S. More info:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

Facebook’s data processing terms (referencing SCCs):
https://www.facebook.com/legal/terms/dataprocessing

More on Facebook Custom Audiences data processing:
https://www.facebook.com/about/privacy

Google AdMob Privacy Policy

We use Google AdMob, a mobile advertising tool. Service provider: Google Inc. EU representative: Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland).

Google also processes data in the U.S. and participates in the EU-U.S. Data Privacy Framework. More info:
https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Google also uses Standard Contractual Clauses (Art. 46 (2) and (3) GDPR). More info:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

Google Ads Data Processing Terms (with SCC references):
https://business.safety.google/intl/de/adsprocessorterms/

More about Google AdMob:
https://policies.google.com/privacy?hl=en

Google Marketing Platform (formerly DoubleClick) Privacy Policy

We use Google Marketing Platform products such as Data Studio, Surveys, Campaign Manager 360, Display & Video 360, and Search Ads 360. Service provider: Google Inc. EU representative: Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland).

Google also processes data in the U.S. and participates in the EU-U.S. Data Privacy Framework. More info:
https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Google also uses Standard Contractual Clauses (Art. 46 (2) and (3) GDPR). More info:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

Google Ads Data Processing Terms (with SCC references):
https://business.safety.google/intl/de/adsprocessorterms/

More about Google Marketing Platform data processing:
https://policies.google.com/privacy?hl=en

PayPal Marketing Solutions Privacy Policy

PayPal Marketing Solutions Privacy Policy Summary
👥 Data Subjects: Visitors to the website
🤝 Purpose: Optimization of our services
📓 Processed Data: Data such as IP address, login and contact information, identification and signature data, payment information, etc. More details can be found below in this privacy policy.
📅 Storage Duration: Data is generally stored as long as necessary to fulfill obligations and purposes.
⚖️ Legal Bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate Interests)

What is PayPal Marketing Solutions?

We use the sales optimization tool PayPal Marketing Solutions on our website. The service provider is the American company PayPal Inc. For the European region, the responsible entity is PayPal Europe (S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg).

PayPal Marketing Solutions enables us to conduct targeted marketing campaigns to better promote our services or products. Founded in 1998, PayPal is now one of the most well-known and largest online payment providers in the world, with over 325 million active users. Marketing Solutions is an additional service offered alongside payment processing.

Why do we use PayPal Marketing Solutions on our website?

We use PayPal Marketing Solutions to provide you with the best possible service and user experience (UX) on our website. This includes showing you only the content and ads that are relevant to your interests. Through this tool, we can tailor advertising and other content specifically to your preferences, helping us reach our business goals more effectively and efficiently.

What data is processed by PayPal Marketing Solutions?

PayPal categorizes the personal data it processes into several types: login and contact data, identification and signature data, payment information, imported contacts, account profile data, device data (such as your IP address), location data, and so-called derived data. Derived data includes information inferred from transactions or other data, such as purchasing habits, behavior patterns, creditworthiness, or personal preferences.

Additionally, PayPal may collect personal data from third parties (e.g., identity verification services, fraud prevention providers, or your bank). These may include credit reporting information, transaction data, regulatory compliance data, technical usage data, location data, and derived data.

PayPal and its partners also use tracking technologies such as cookies, pixel tags, web beacons, and widgets to recognize you as a user, personalize content, and conduct interest-based advertising analytics.

How long and where is the data stored?

Generally, PayPal retains personal data as long as necessary to fulfill obligations and the specified purposes. Data necessary for customer relationships may be stored for up to 10 years after the relationship ends. If PayPal is subject to legal obligations, retention periods will comply with applicable law (e.g., insolvency law). Data may also be retained as necessary in the context of potential legal disputes.

As PayPal operates globally, your data may be stored on servers located outside your country and outside the scope of the GDPR.

How can I delete my data or prevent data storage?

You have the right to access, correct, delete, or restrict the processing of your personal data at any time. You may also withdraw your consent to data processing at any time.

If you want to deactivate, delete, or manage cookies in general, refer to the "Cookies" section for browser-specific instructions.

Legal Basis

The use of PayPal Marketing Solutions requires your consent, which we obtain via our cookie popup. This consent serves as the legal basis for the processing of personal data according to Art. 6(1)(a) GDPR.

In addition to consent, we have a legitimate interest in analyzing visitor behavior to improve our technical and business offerings. The corresponding legal basis is Art. 6(1)(f) GDPR. We only use PayPal Marketing Solutions if you have provided consent.

PayPal processes data in the USA, among other countries. Please note that, according to the European Court of Justice, the level of data protection in the USA is currently not deemed adequate. This may pose risks to the legality and security of data processing.

As a basis for data processing involving recipients in third countries (outside the European Union, Iceland, Liechtenstein, Norway—especially in the USA) or transfers to such countries, PayPal uses Standard Contractual Clauses (SCCs) under Art. 46(2) and (3) GDPR. These are EU Commission-approved templates designed to ensure your data complies with European data protection standards, even when transferred to and stored in third countries.

By using SCCs, PayPal commits to maintaining EU-level data protection when processing your relevant data. These clauses are based on an implementing decision by the EU Commission. You can find the decision and the clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

For more information on SCCs and data processed via PayPal Marketing Solutions, please consult the privacy policy at: https://www.paypal.com/webapps/mpp/ua/privacy-full

Cookie Consent Management Platform

Cookie Consent Management Platform Summary
👥 Data Subjects: Website visitors
🤝 Purpose: Collection and management of consent for specific cookies and tools
📓 Processed Data: Data related to the management of cookie settings such as IP address, time of consent, type of consent, individual consents. For more details, see the respective tool used.
📅 Storage Duration: Depends on the tool used; generally expect durations of several years
⚖️ Legal Bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate Interests)

What is a Cookie Consent Management Platform?

We use a Consent Management Platform (CMP) on our website to facilitate correct and secure handling of the scripts and cookies used. This software automatically generates a cookie popup, scans and monitors all scripts and cookies, provides legally required cookie consent functionality for you, and helps both you and us keep track of all cookies. Most cookie consent management tools identify and categorize all present cookies. As a website visitor, you then decide which scripts and cookies you want to allow or not allow. The following graphic illustrates the relationship between browser, web server, and CMP.

Why do we use a cookie management tool?

Our goal is to provide you with the best possible transparency in terms of data protection. Moreover, we are legally obliged to do so. We want to inform you as thoroughly as possible about all tools and cookies that may store and process your data. It is your right to decide which cookies you accept. In order to grant you this right, we must first know which cookies are present on our website. Thanks to a cookie management tool that regularly scans the website for all active cookies, we are aware of all cookies and can provide GDPR-compliant information. You can then use the consent system to accept or reject cookies.

What data is processed?

Through our cookie management tool, you can manage each cookie individually and have full control over the storage and processing of your data. Your declaration of consent is stored so that we don’t have to ask for it every time you visit our website and can provide proof of your consent if legally required. This information is stored either in an opt-in cookie or on a server. Depending on the provider of the cookie management tool, the storage duration of your cookie consent may vary. Typically, this data (such as a pseudonymous user ID, time of consent, details of cookie categories or tools, browser, and device information) is stored for up to two years.

Duration of data processing

We inform you below about the duration of data processing as far as we have more information. In general, we process personal data only as long as is absolutely necessary for the provision of our services and products. Data stored in cookies may have varying retention periods. Some cookies are deleted immediately after leaving the website, others may remain stored in your browser for several years. The exact duration of processing depends on the tool used. In most cases, expect retention periods of several years. Detailed information on the retention period is typically provided in the privacy policies of the respective providers.

Right to object

You have the right and the opportunity at any time to withdraw your consent to the use of cookies. This can be done either via our cookie management tool or through other opt-out functionalities. For example, you can also prevent the collection of data via cookies by managing, deactivating, or deleting cookies in your browser settings.

For information on specific cookie management tools, please refer to the following sections if available.

Legal Basis

If you consent to the use of cookies, personal data will be processed and stored via these cookies. If we are permitted to use cookies based on your consent (Art. 6(1)(a) GDPR), this consent also constitutes the legal basis for the processing of your personal data. To manage cookie consent and provide you with the option to give it, we use a cookie consent management platform. The use of this software enables us to operate the website efficiently and in compliance with the law, which constitutes a legitimate interest (Art. 6(1)(f) GDPR).

Security & Anti-Spam

Security & Anti-Spam Privacy Policy Summary
👥 Data subjects: Website visitors
🤝 Purpose: Cybersecurity
📓 Processed data: Data such as your IP address, name, or technical information like browser version. More details can be found below and in the individual privacy texts.
📅 Storage duration: Data is usually stored as long as necessary to fulfill the service
⚖️ Legal basis: Art. 6 (1) lit. a GDPR (Consent), Art. 6 (1) lit. f GDPR (Legitimate Interests)

What is Security & Anti-Spam Software?

Security & Anti-Spam software helps protect both you and us from various threats such as spam or phishing emails and potential cyberattacks. Spam refers to unsolicited bulk marketing emails, often considered data waste and sometimes causing costs. Phishing emails are designed to manipulate recipients into disclosing personal information through fake messages or websites. Anti-spam software typically filters such emails and protects against malicious messages containing viruses. Additionally, we use general firewall and security systems to protect our computers from unauthorized network access.

Why do we use Security & Anti-Spam Software?

We place great importance on security on our website—not only for our sake but especially for yours. In today’s digital environment, cyber threats are part of everyday life. Hackers often aim to steal personal data from IT systems. Therefore, effective protection systems are essential. Our security systems monitor all inbound and outbound connections to our network and computers. In addition to standardized system protection, we rely on external security services to enhance protection and prevent unauthorized data access.

What data is processed by Security & Anti-Spam Software?

The specific data collected and stored depends on the service provider. However, we strive to use programs that operate with data minimization in mind and only store data necessary for service provision. Typically, these services may store data such as name, address, IP address, email address, and technical information like browser type or version. Log and performance data may also be processed to detect threats. These services comply with applicable legal requirements, including the GDPR via Standard Contractual Clauses for US-based providers. Some services may involve third parties who store and/or process data under strict data protection regulations. Data is often stored via cookies.

Duration of Data Processing

We inform you below where more specific durations are available. Generally, data is stored only as long as necessary to provide the respective services. In many cases, providers do not disclose precise retention periods.

Right to Object

You have the right to withdraw your consent to the use of cookies or third-party security services at any time. This can be done via our cookie management tool or other opt-out features. You can also manage, disable, or delete cookies directly in your browser.

As these services often use cookies, we recommend reviewing our general cookie privacy policy. For details on what data is stored and processed, please refer to the privacy policies of the respective tools.

Legal Basis

We primarily use security services based on our legitimate interest in maintaining strong cybersecurity protections (Art. 6 (1) lit. f GDPR).

In certain cases, particularly when cookies or user-based functions are used, processing requires your explicit consent. If you have given such consent, this becomes the legal basis for processing your data (Art. 6 (1) lit. a GDPR). Most of these tools use browser cookies to store data. Therefore, we encourage you to read our cookie privacy policy and the privacy statements of individual service providers.

Information on specific tools used can be found in the following sections, where applicable.

Google reCAPTCHA Privacy Policy

Google reCAPTCHA Privacy Policy Summary
👥 Data subjects: Website visitors
🤝 Purpose: Optimization of our service and protection against cyberattacks
📓 Processed data: Data such as IP address, browser information, operating system, limited location and usage data. More details can be found further below in this privacy policy.
📅 Storage duration: depends on the stored data
⚖️ Legal bases: Art. 6 (1) lit. a GDPR (consent), Art. 6 (1) lit. f GDPR (legitimate interests)

What is reCAPTCHA?

Our top priority is to secure and protect our website for you and for us. To ensure this, we use Google reCAPTCHA from Google Inc. For the European area, the company responsible is Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland). With reCAPTCHA, we can determine whether you are a real human being and not a robot or some other spam software. We define spam as any unsolicited information sent to us electronically. Classic CAPTCHAs required users to solve text or image puzzles. With Google reCAPTCHA, you usually only need to check a box to confirm you're not a bot. The newer Invisible reCAPTCHA version doesn’t even require you to click a checkbox.

reCAPTCHA is a free CAPTCHA service from Google that protects websites from spam software and abuse from non-human visitors. It is commonly used when filling out online forms. A CAPTCHA service is an automated Turing test designed to ensure that an action is carried out by a human rather than a bot. Classic CAPTCHAs involve solving small tasks that are easy for humans but difficult for machines. reCAPTCHA eliminates these puzzles and uses advanced risk analysis to differentiate between humans and bots.

Why do we use reCAPTCHA on our website?

We want only real humans visiting our website. Bots and spam software of any kind are not welcome. Therefore, we use all necessary tools to protect our site and provide the best possible user experience. reCAPTCHA helps us maintain a bot-free website. By using reCAPTCHA, data is transmitted to Google to determine whether the visitor is a human. This enhances the security of our website and indirectly protects your data as well.

What data is stored by reCAPTCHA?

reCAPTCHA collects personal data from users to determine whether interactions on our website are performed by humans. This may include the IP address and other data required by Google for the reCAPTCHA service. IP addresses are usually truncated within EU member states or other contracting states of the EEA before being sent to a US server. The IP address is not merged with other Google data unless you are logged into your Google account while using reCAPTCHA.

reCAPTCHA checks whether existing Google cookies from other services (e.g., YouTube, Gmail) are already stored in your browser. It also sets a new cookie and captures a snapshot of your browser window.

The following example is from the reCAPTCHA Demo from Google: https://www.google.com/recaptcha/api2/demo

Examples of collected data include:

Referrer URL (the address from which the visitor came)
IP address
Information about the operating system
Cookies
Mouse and keyboard behavior
Date and language settings
All JavaScript objects
Screen resolution

Google processes this data even before you click on the checkbox. With Invisible reCAPTCHA, this process occurs entirely in the background.

Examples of cookies set by reCAPTCHA (from Google’s demo site):

IDE: Tracks user interaction with ads (doubleclick.net), expires after 1 year
1P_JAR: Collects usage statistics and measures conversions, expires after 1 month
ANID: Related to advertising cookies, expires after 9 months
CONSENT: Stores user consent status, expires after 19 years
NID: Personalizes ads in Google Search, expires after 6 months
DV: Set when checkbox is clicked, used for personalized advertising, expires after 10 minutes

This list is not exhaustive as Google may change cookie usage.

How long and where are the data stored?

By using reCAPTCHA, data is transmitted to Google servers. Google does not clearly specify where this data is stored, though it is assumed to be in both Europe and the US. The IP address is generally not merged with other Google services unless you are logged into your account.

How can I delete or prevent data storage?

To prevent data transmission to Google, log out of your Google account and delete all Google cookies before visiting our site. Data is sent to Google automatically upon visiting our site. For deletion, contact Google Support at https://support.google.com/?hl=de&tid=112989449.

Using our website implies your consent to data collection by Google LLC.

Please note: Your data may be stored and processed outside the EU. The USA is considered an insecure third country under EU data protection law. Data transfers to such countries require additional guarantees, such as EU standard contractual clauses (SCC).

Legal basis

If you have consented to the use of Google reCAPTCHA, the legal basis is Art. 6 (1) lit. a GDPR. Additionally, we have a legitimate interest in using reCAPTCHA to optimize and secure our online services (Art. 6 (1) lit. f GDPR). We use reCAPTCHA only if you have provided consent.

Google processes data in the USA and is an active participant in the EU-US Data Privacy Framework, which ensures lawful and secure data transfers from the EU to the US. More information: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.

Google also uses standard contractual clauses (Art. 46 (2) and (3) GDPR). These are templates provided by the EU Commission to ensure that your data complies with European data protection standards even when stored in third countries. These clauses are based on an implementing decision by the EU Commission: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de.

Google Ads Data Processing Terms referencing SCCs: https://business.safety.google/intl/de/adsprocessorterms/.

More information about reCAPTCHA: https://developers.google.com/recaptcha/. Google Privacy Policy: https://policies.google.com/privacy.

Payment Providers Introduction

Payment Providers Privacy Policy Summary
👥 Data Subjects: Website visitors
🤝 Purpose: To enable and optimize the payment process on our website
📓 Processed Data: Data such as name, address, banking information (account number, credit card number, passwords, TANs, etc.), IP address, and contract data
More details can be found under each respective payment provider tool in this privacy policy.
📅 Storage Duration: Depends on the respective payment provider
⚖️ Legal Bases: Art. 6 (1) lit. b GDPR (Contract Fulfillment)

What is a Payment Provider?

We use online payment systems on our website to enable a secure and seamless payment process for both you and us. In doing so, personal data may be transferred to, stored by, and processed by the respective payment provider. Payment providers are online payment systems that allow you to make purchases via online banking. The payment process is handled by the payment provider of your choice, and we receive a notification once the payment is completed. This method is available to any user with an active online banking account with PIN and TAN. Most banks support and accept these types of transactions.

Why do we use Payment Providers on our website?

Our aim is to provide the best possible service via our website and integrated online shop so that you have a pleasant experience and can easily make use of our offerings. We understand that your time is valuable, and that’s why payment processes need to work smoothly and efficiently. For this reason, we offer various payment providers so you can choose the one you’re most comfortable with.

What data is processed?

The specific data processed depends on the payment provider. However, in general, the data includes name, address, banking information (account number, credit card number, passwords, TANs, etc.). These are essential for executing a transaction. Contract data and user data such as visit times, interests, or clicked subpages on our website may also be stored. Your IP address and technical information about your device may be logged by most payment providers.

This data is typically stored and processed on the servers of the payment provider. As the website operator, we do not receive access to this data. We are merely informed about whether the payment was successful. For identity or credit checks, the payment provider may transfer your data to relevant entities. The terms and privacy policies of the respective provider apply to all payment transactions. Please refer to these policies for information on your rights such as data deletion or correction.

Duration of Data Processing

Further details on the duration of data processing will be provided below if available. Generally, we process personal data only for as long as is necessary for providing our services and products. Where legally required, for example in accounting, this duration may be extended. We store accounting records (invoices, contracts, account statements, etc.) for 10 years (§ 147 AO) and other business documents for 6 years (§ 247 HGB).

Right to Object

You have the right to access, correct, and delete your personal data at any time. If you have questions, contact the responsible payment provider directly. Contact details are provided either in our privacy policy or on the respective provider’s website.

Cookies used by payment providers can be deleted, disabled, or managed in your browser settings. Please note that disabling cookies may impair the functionality of the payment process.

Legal Basis

We use various payment service providers in addition to conventional bank/credit institutions to fulfill contractual or legal obligations (Art. 6 (1) lit. b GDPR). The privacy policies of the individual providers (such as Amazon Payments, Apple Pay, or Discover) offer detailed information on data handling. You can also reach out to the respective provider for any data protection concerns.

Details on the individual payment providers follow in the next sections.

American Express Privacy Policy

We use American Express, a global financial services provider, on our website. The service is operated by American Express Company, a U.S.-based company. For the European region, the responsible entity is American Express Europe S.A. (Avenida Partenón 12-14, 28042, Madrid, Spain).

American Express processes data in the United States, among other locations. We note that, according to the European Court of Justice, there is currently no adequate level of data protection for the transfer of personal data to the USA. This may present various risks to the legality and security of the data processing.

As a safeguard for data processing involving recipients in third countries (outside the EU, Iceland, Liechtenstein, and Norway, particularly the USA), American Express relies on the so-called Standard Contractual Clauses (Art. 46 (2) and (3) GDPR). These clauses are model contract templates provided by the EU Commission to ensure your data complies with EU privacy standards even when stored or processed in third countries. By agreeing to these clauses, American Express commits to upholding the European level of data protection even when processing or storing data in the USA. These clauses are based on an implementing decision of the EU Commission, which you can access here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

More information about the data processed through the use of American Express can be found in their Privacy Policy at:
https://www.americanexpress.com/de-de/firma/legal/datenschutz-center/online-datenschutzerklarung/

Klarna Checkout Privacy Policy

Klarna Checkout Privacy Policy Summary
👥 Data subjects: Website visitors
🤝 Purpose: Optimization of the payment process on our website
📓 Processed data: Data such as name, address, banking information (account number, credit card number, passwords, TANs, etc.), IP address, and contract data.
More details can be found below in this privacy policy.
📅 Storage period: Data is retained for as long as Klarna needs it for the processing purpose.
⚖️ Legal bases: Art. 6 (1) lit. c GDPR (legal obligation), Art. 6 (1) lit. f GDPR (legitimate interests)

What is Klarna Checkout?

We use the online payment system Klarna Checkout from the Swedish company Klarna Bank AB. Klarna's headquarters is located at Sveavägen 46, 111 34 Stockholm, Sweden. If you choose this service, personal data will be transmitted to Klarna, stored, and processed. In this privacy policy, we provide you with an overview of Klarna’s data processing.

Klarna Checkout is a payment system for online shop orders. The user selects the payment method, and Klarna Checkout manages the entire payment process. Once a user has made a payment via Klarna Checkout and provided their data, future purchases can be completed even faster. Klarna recognizes existing customers based on their email address and postal code.

Why do we use Klarna Checkout on our website?

Our goal is to provide you with the best possible service through our website and online shop. This includes a smooth, fast, and secure payment process. Klarna Checkout helps us achieve this objective.

What data is stored by Klarna Checkout?

As soon as you choose Klarna and pay via Klarna Checkout, you transmit personal data to the company. Klarna's checkout page collects technical data such as browser type, operating system, our website URL, date and time, language settings, time zone settings, and your IP address. This data is collected even if no purchase is completed.

When you place an order, you must enter personal data into the form. Klarna processes this data for payment processing. For credit and identity checks, the following personal data (as well as general product data) may be stored and processed:

Contact information: name, date of birth, national ID number, title, billing and shipping address, email address, phone number, nationality, or income
Payment information such as credit card details or bank account number
Product information such as tracking number, item type, and product price

Additional optional data may be collected if you choose to provide it (e.g., political, religious, or health-related data).

Klarna may also gather product-related data from third parties (such as us or public databases). Klarna may share your personal data with service providers (e.g., software vendors, cloud storage providers, or us as the merchant).

If form fields are auto-filled, cookies are used. You can disable this feature by deactivating cookies. Our tests indicate that Klarna does not set cookies directly. If you select "Klarna Sofort" and click "Order," you’ll be redirected to sofort.com. After successful payment, you return to our thank-you page. There, sofort.com sets the following cookie:

Name: SOFUEB
Value: e8cipp378mdscn9e17kajlfhv7112989449-4
Purpose: Stores your session ID.
Expiration: At the end of the browser session

How long and where is the data stored?

Klarna aims to store your data within the EU/EEA. However, it may be transferred outside the EU/EEA. If this happens, Klarna ensures GDPR-compliant processing, and that the third country is subject to an EU adequacy decision. Data is stored for as long as Klarna requires it for its processing purposes.

How can I delete my data or prevent storage?

You can withdraw your consent for Klarna to process personal data at any time. You also have the right to access, rectify, or delete your personal data. Contact Klarna or its data protection team via email at datenschutz@klarna.de. You can also reach Klarna via its “My Privacy Request” page.

Cookies used by Klarna (if any) can be managed, deactivated, or deleted in your browser. Instructions for the most common browsers can be found under the "Cookies" section of our privacy policy.

Legal basis

We use Klarna Checkout to fulfill contractual/legal relationships (Art. 6 (1) lit. b GDPR) alongside traditional bank and credit institutions.

We hope this overview helps you understand Klarna’s data processing. For more information, please refer to Klarna’s privacy policy at:
https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_at/privacy

PayPal Privacy Policy

Summary of the PayPal Privacy Policy

👥 Data Subjects: Visitors to the website
🤝 Purpose: Optimization of the payment process on our website
📓 Processed Data: Data such as name, address, bank details (account number, credit card number, passwords, TANs, etc.), IP address, and contract data may be processed.
More details can be found further below in this privacy policy.
📅 Storage Duration: Data is generally stored until the cooperation with PayPal is terminated
⚖️ Legal Basis: Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(a) GDPR (consent)

What is PayPal?

We use the online payment service PayPal on our website. The service provider is the American company PayPal Inc. For the European region, the responsible entity is PayPal Europe (S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg).

PayPal enables users to send and receive money electronically. Founded in 1998, the company now counts over 325 million active users and is one of the best-known and largest online payment service providers globally.

Why do we use PayPal on our website?

There are several reasons why we use and offer PayPal on our website. As PayPal is one of the most well-known online payment providers, many of our website visitors also use and trust this service. PayPal offers high security standards for digital money transfers, employing various encryption methods to best protect your personal data. We also value the user-friendliness of PayPal and the ability to process international payments in multiple currencies. Typically, transactions are processed quickly, which is another benefit for both us and you as a customer.

What data is processed by PayPal?

According to PayPal’s privacy policy, the service processes several categories of personal data, including:

Login and contact information
Identification and signature data
Payment information
Data imported from your contacts
Profile data
Device data such as IP address and location
Derived data such as purchase behavior, creditworthiness, or preferences

In addition, data from third parties (e.g., identity verifiers, fraud detection providers, or your bank) may also be collected. This includes data from credit agencies, transaction data, compliance-related data, technical usage data, and location data.

PayPal and its partners may also use tracking technologies such as cookies, pixel tags, web beacons, and widgets to identify users, personalize content, and perform interest-based advertising analysis.

How long and where are the data stored?

In principle, PayPal stores data as long as necessary to fulfill its obligations and purposes. Personal data relevant to the customer relationship may be retained up to 10 years after the end of the relationship. If PayPal is subject to a legal obligation, the retention period is based on applicable law (e.g., insolvency law). Data may also be retained if advisable in view of legal disputes.

As a global company, PayPal operates data centers worldwide. This means your data may also be stored outside your country and the scope of the GDPR on PayPal servers.

How can I delete my data or prevent data storage?

You have the right at any time to access, rectify, delete, or restrict the processing of your personal data. You can also revoke your consent to data processing at any time.

If you want to disable, delete, or manage cookies in general, you can find links to browser-specific instructions under the “Cookies” section of this policy.

Legal Basis

We have a legitimate interest in integrating PayPal as an external payment service provider in order to make our offering more attractive and improve it technically and economically. The legal basis is Art. 6(1)(f) GDPR (legitimate interests). Please note that you can only use PayPal if you enter into a contractual relationship with PayPal. Additional data protection or contractual declarations (e.g., consent) may be required.

PayPal processes your data in the USA, among other places. According to the Court of Justice of the European Union, there is currently no adequate level of protection for data transfers to the USA, which may pose various risks to the legality and security of data processing.

PayPal relies on Standard Contractual Clauses (SCCs) in accordance with Art. 46(2) and (3) GDPR as the basis for processing data in or transferring data to third countries (outside the EU, Iceland, Liechtenstein, and Norway, especially the USA). These clauses are templates provided by the European Commission to ensure that your data complies with EU data protection standards even when stored and processed outside the EU.

You can find the EU Commission's decision and SCC templates here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en
More information about PayPal's SCCs and data processing practices can be found in their privacy policy: https://www.paypal.com/webapps/mpp/ua/privacy-full

Visa Privacy Policy

We use Visa on our website, a globally operating payment provider. The service provider is the American company Visa Inc. For the European region, the responsible entity is Visa Europe Services Inc. (1 Sheldon Square, London W2 6TT, United Kingdom).

Visa processes your data in the USA, among other locations. According to the Court of Justice of the European Union, there is currently no adequate level of protection for data transfers to the USA, which may pose various risks to the legality and security of the data processing.

Visa also relies on Standard Contractual Clauses (SCCs) in accordance with Art. 46(2) and (3) GDPR as the legal basis for data transfers to third countries (especially the USA). These clauses are templates provided by the European Commission and are intended to ensure compliance with European data protection standards even when your data is processed outside the EU.

You can find the EU Commission’s decision and SCC templates here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en More information about Visa’s SCCs can be found here: https://www.visa.de/nutzungsbedingungen/visa-globale-datenschutzmitteilung/mitteilung-zu-zustandigkeitsfragen-fur-den-ewr.html

Further details on how Visa processes your data can be found in their Privacy Policy at: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html

External Online Platforms – Introduction

External Online Platforms – Privacy Policy Summary
👥 Data Subjects: Visitors to our website or visitors of external online platforms
🤝 Purpose: Presentation and optimization of our services, customer communication
📓 Processed Data: Data such as phone numbers, email addresses, contact information, user behavior data, device information, and IP address.
More details can be found in the privacy policies of each platform used.
📅 Storage Duration: Depends on the platform used
⚖️ Legal Bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests)

What are external online platforms?

In order to promote our products and services beyond our own website, we also utilize external platforms—primarily online marketplaces like Amazon or eBay. In addition to our responsibility for data protection, the respective platforms' privacy policies apply, particularly if a purchase takes place via these platforms. Most platforms also use collected data to optimize their own marketing strategies, such as delivering personalized ads based on customer behavior.

Why do we use external online platforms?

Our objective is to present our product range to a broader customer base beyond our website. Large marketplaces such as Amazon, eBay, or Digistore24 enable us to reach customers who may not yet know our brand. In some cases, integrated elements on our website redirect users to these external platforms.

The platforms use collected data not only to process transactions but also to perform web analyses. The goal of these analyses is to develop personalized and targeted marketing campaigns. Based on your behavior, platforms may create user profiles and serve tailored advertisements. This usually involves the use of cookies stored in your browser.

Please note that your data may be processed outside the European Union, especially when dealing with U.S.-based companies like Amazon or eBay. This may limit your ability to exercise certain rights under European data protection law.

What data is processed?

The specific types of data collected and processed depend on the platform in question. Typically, this may include phone numbers, email addresses, data submitted through contact forms, user interactions (e.g., clicked buttons, visited pages), device information, and IP address. These are often stored in cookies. If you maintain a user profile on such a platform and are logged in, your data may be linked to your profile. Data is stored and processed on the platform’s servers. For detailed information, refer to the privacy policy of the respective provider.

Duration of data processing

Unless stated otherwise, we only process personal data as long as it is necessary to fulfill our services. Platforms such as Amazon store personal data until it is no longer needed for business or legal purposes.

Right to Object

You may withdraw your consent to the use of cookies at any time—either through our cookie consent tool or via opt-out mechanisms provided by the external platform. You may also disable cookies directly in your browser settings.

Since cookies may be used, we also recommend reviewing our general Cookie Policy. For details on which data is specifically processed, consult the respective platform’s privacy policy.

Legal Basis

If you have consented to data processing by external platforms, this consent forms the legal basis (Art. 6(1)(a) GDPR). In addition, processing may be based on our legitimate interest (Art. 6(1)(f) GDPR) in communicating with customers and business partners efficiently. Any third-party elements embedded on our website are only activated after consent is given.

Shopify Privacy Policy

We use the e-commerce platform Shopify. The service provider is Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland.

Shopify may also process your data in the United States. Please note that, according to the European Court of Justice, the current level of data protection in the U.S. is not considered adequate. This may pose risks to the legality and security of your data processing.

As a legal safeguard, Shopify relies on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2) and (3) GDPR. These are standard model contracts provided by the European Commission to ensure that your data continues to meet EU data protection standards when transferred to third countries (e.g., the U.S.). Through these clauses, Shopify undertakes to uphold EU-level data protection standards even when processing data outside the EEA. You can find the decision and the SCC templates here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

Further information on how Shopify processes personal data and applies SCCs can be found at:

Audio & Video – Introduction

Audio & Video – Privacy Policy Summary
👥 Data Subjects: Visitors to the website
🤝 Purpose: Enhancement of our service offering
📓 Processed Data: Information such as contact details, user behavior, device information, and IP address may be collected
📅 Storage Duration: Data is generally stored as long as it is necessary for the service purpose
⚖️ Legal Bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate Interests)

What are audio and video elements?

We have integrated audio and/or video elements into our website so that you can watch videos or listen to music/podcasts directly on our site. These contents are provided by external service providers and streamed from their servers.

Such integrations typically originate from platforms like YouTube, Vimeo, or Spotify. These services may offer both free and paid content. By embedding these media elements, we allow you to access the respective content conveniently via our website.

When you interact with these audio or video elements, personal data may be transmitted to, processed by, and stored by the respective providers.

Why do we use audio & video elements on our website?

Our goal is to offer you the best possible user experience on our website. We understand that information is no longer conveyed through text and images alone. By integrating media elements directly into our site, we provide entertaining and informative content—ideally both—in a format that enhances accessibility and user engagement.

What data is collected by audio & video elements?

When you access a page containing an embedded video, your browser automatically connects to the service provider’s server. During this process, data such as your IP address, browser type, operating system, and other general device information may be transmitted and stored. These data transfers occur regardless of whether you hold an account with the respective third-party provider.

In addition, information about your activity on the website may be collected—such as session duration, bounce rate, interactions with specific buttons, or the referrer URL. These insights are typically collected via cookies or pixel tags (also called web beacons). Pseudonymized data is often stored in cookies placed in your browser. For exact details, please refer to the privacy policy of the individual third-party provider.

Duration of data processing

For information about how long third-party providers store your data, refer to the provider’s privacy policy or our detailed tool-specific privacy statements further below. Generally, personal data is retained only as long as necessary to deliver the services. However, many platforms may store data for several years, particularly in the case of cookies—some of which are deleted after a session ends, while others may remain for extended periods.

Right to object

You may withdraw your consent for data collection via cookies or third-party services at any time—either through our cookie management tool or via opt-out mechanisms provided by the respective provider. You may also disable or delete cookies manually in your browser settings. Note that the lawfulness of processing before your withdrawal remains unaffected.

Since audio and video elements often rely on cookies, we also recommend reviewing our general Cookie Policy. Detailed information about data handling can be found in the privacy policies of the relevant third-party providers.

Legal basis

If you have given your consent for data processing through embedded audio and video elements, this consent constitutes the legal basis (Art. 6(1)(a) GDPR). In addition, data may be processed on the basis of our legitimate interest in effective communication (Art. 6(1)(f) GDPR). Embedded audio and video content will only be activated if you have explicitly consented to it.

YouTube Privacy Policy

Summary of the YouTube Privacy Policy
👥 Data Subjects: Visitors to the website
🤝 Purpose: Optimization of our service performance
📓 Processed Data: Data such as contact information, user behavior data, information about your device, and your IP address may be stored. For more details, please see the privacy text below.
🗓 Storage Duration: Data is generally stored as long as required for the purpose of the service
⚖️ Legal Basis: Art. 6 (1) lit. a GDPR (Consent), Art. 6 (1) lit. f GDPR (Legitimate Interests)

What is YouTube?

We have embedded YouTube videos on our website to present interesting videos directly on our site. YouTube is a video platform and a subsidiary of Google since 2006. The platform is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. If you visit a page on our website with an embedded YouTube video, your browser automatically connects to YouTube's or Google's servers. Depending on settings, various data is transmitted. For all data processing in the European region, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) is responsible.

Below we explain in detail which data is processed, why we have integrated YouTube videos, and how you can manage or delete your data.

On YouTube, users can watch, rate, comment on, and upload videos for free. Over the years, YouTube has become one of the most important social media channels worldwide. To display videos on our website, YouTube provides a snippet of code which we embed on our site.

Why do we use YouTube videos on our website?

YouTube is the most visited video platform with the best content. We strive to offer you the best possible user experience on our website, and engaging videos are part of that. With our embedded videos, we provide helpful content beyond texts and images. Additionally, our website becomes more discoverable via Google Search thanks to embedded videos. If we run ads via Google Ads, Google can show these ads only to users interested in our offers using collected data.

What data is stored by YouTube?

As soon as you visit a page on our website with an embedded YouTube video, YouTube sets at least one cookie storing your IP address and our URL. If you're logged into your YouTube account, YouTube can associate your interactions on our site with your profile. This includes data such as session duration, bounce rate, approximate location, technical info like browser type, screen resolution, or your ISP. Other data may include contact info, ratings, sharing content via social media, or adding to favorites.

If you're not logged in to a Google or YouTube account, Google stores data using a unique identifier tied to your device, browser, or app. Preferences like language settings are retained, but fewer interaction data are stored.

Below is a list of cookies that were set during browser testing:

YSC: Registers a unique ID to store stats on the viewed video. (Expires: session end)
PREF: Registers your unique ID. Google uses PREF to collect stats on YouTube usage. (Expires: 8 months)
GPS: Registers a unique ID on mobile devices to track GPS location. (Expires: 30 minutes)
VISITOR_INFO1_LIVE: Estimates the user's bandwidth on sites with embedded YouTube videos. (Expires: 8 months)

Additional cookies when logged into a YouTube account:

APISID: Used to build a profile of your interests for personalized ads. (Expires: 2 years)
CONSENT: Stores user consent status for Google services. Also used for security purposes. (Expires: 19 years)
HSID: Used to build a profile for personalized advertising. (Expires: 2 years)
LOGIN_INFO: Stores your login details. (Expires: 2 years)
SAPISID: Identifies browser and device to create an interest profile. (Expires: 2 years)
SID: Stores your Google account ID and last login time in encrypted form. (Expires: 2 years)
SIDCC: Stores how you use the site and any ads you may have seen. (Expires: 3 months)

Where and how long are the data stored?

YouTube (Google) stores data on servers, many of which are in the U.S. Server locations can be viewed at https://www.google.com/about/datacenters/locations/?hl=en. Your data are distributed across these servers for faster access and better protection against tampering.

Google retains data for varying durations. Some can be deleted manually, others are deleted automatically after a time, and some are retained longer. Certain account-stored data (e.g., My Activity, photos, documents, products) are kept until manually deleted. Even without a Google account, you can delete data tied to your device, browser, or app.

How can I delete my data or prevent data storage?

You can manually delete data in your Google Account. With Google's auto-delete feature (introduced in 2019), activity and location data are deleted automatically after 3 or 18 months.

Regardless of account status, you can configure your browser to delete or block cookies from Google. Under "Cookies," we provide links to cookie management guides for major browsers.

You can also configure your browser to notify you about cookie placements so you can accept or reject them individually.

Legal Basis

If you have consented to data processing via embedded YouTube elements, this consent constitutes the legal basis (Art. 6 (1) lit. a GDPR). Your data is also processed based on our legitimate interest (Art. 6 (1) lit. f GDPR) in providing fast and effective communication. We only use embedded YouTube elements if you have given consent.

YouTube processes data in the U.S. YouTube (Google) is an active participant in the EU-U.S. Data Privacy Framework, which regulates secure data transfers of EU citizens to the U.S. More info: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Additionally, Google uses Standard Contractual Clauses (SCCs) under Art. 46 (2) and (3) GDPR. These EU-approved templates ensure that data transferred to third countries meets EU data protection standards. SCCs obligate Google to maintain EU-level privacy, even if data is processed in the U.S. Official info: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

Google Ads Data Processing Terms (referencing SCCs): https://business.safety.google/intl/en/adsprocessorterms/

Since YouTube is a Google subsidiary, their joint privacy policy applies. More info: https://policies.google.com/privacy?hl=en

Survey and Polling Systems Introduction

Survey and Polling Systems Privacy Policy Summary
👥 Data subjects: Visitors to the website
🤝 Purpose: Evaluation of surveys on the website
📓 Processed data: Contact details, device data, access duration and time, IP addresses. More details can be found in the respective survey and polling system used.
📅 Storage period: Depends on the tool used
⚖️ Legal bases: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)

What are survey and polling systems?

We occasionally conduct surveys and polls on our website. These are always evaluated anonymously. A survey or polling system is a tool embedded in our website that presents questions to you (e.g., about our products or services), which you can answer if you choose to participate. Your answers are always evaluated anonymously. However, based on your consent, personal data may also be collected and processed.

Why do we use survey and polling systems?

Our goal is to offer the best products and services in our industry. Surveys provide us with valuable feedback and let us know what you expect from us and our offerings. Based on these anonymous evaluations, we can better align our products and services with your expectations. Additionally, this data helps us target our advertising and marketing efforts to people who are genuinely interested in our offerings.

What data is processed?

Personal data is only processed when technically necessary or when you have given consent. For example, your IP address may be stored to enable the survey to be displayed in your browser. Cookies may also be used so you can continue the survey at a later time.

If you have consented to the processing of your data, contact information such as your email address or telephone number may be collected. Additionally, any data you enter into an online form may be stored and processed. Some providers may also record which pages you visited on our site, when you started and completed the survey, and various technical details about your device.

How long is the data stored?

The duration of processing and storage depends primarily on the tools we use. Further below you will find more specific information about each tool. In general, personal data is only processed as long as it is necessary for providing our services. If data is stored in cookies, the retention period may vary. Some cookies are deleted as soon as you leave the website, while others may be stored for several years. For precise information, we recommend reviewing the privacy policies of each provider and inspecting the individual cookies in use.

Right to object

You have the right to withdraw your consent to the use of cookies or embedded survey systems at any time. This can be done either via our cookie management tool or through other opt-out options. You can also configure your browser to manage, deactivate, or delete cookies.

Since cookies may be used with survey systems, we recommend also reading our general privacy policy regarding cookies. For more detailed information on how your data is stored and processed, please refer to the privacy policies of the respective tools.

Legal basis

The use of survey systems requires your consent, which we obtained via our cookie consent banner. This consent serves as the legal basis for the processing of personal data in accordance with Art. 6 para. 1 lit. a GDPR.

Additionally, we have a legitimate interest in conducting surveys related to our offerings, which constitutes another legal basis under Art. 6 para. 1 lit. f GDPR. However, we only use such tools when you have given consent.

Since cookies may be used, we also recommend reading our general cookie privacy policy. For information on exactly what data is stored and processed, please consult the privacy policies of the respective providers.

Information about the individual survey systems, if applicable, will be provided in the sections below.

Review Platforms – Introduction

Review Platforms Privacy Policy Summary
👥 Data Subjects: Visitors to the website or a review platform
🤝 Purpose: To receive feedback on our products and/or services
📓 Processed Data: Includes IP address, email address, name. More details can be found below or in the privacy policies of the respective review platforms.
📅 Storage Duration: Depends on the respective platform
⚖️ Legal Basis: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate Interests)

What are Review Platforms?

On various review platforms, you have the opportunity to evaluate our products or services. We actively participate in some of these platforms to receive valuable feedback that helps us improve our offerings. If you submit a review via one of these platforms, the data protection policies and terms of service of the respective platform apply. In many cases, you may be required to register before leaving a review. Review technologies (widgets) may also be embedded on our website, and when using such tools, personal data may be transmitted to and processed by the relevant service provider.

Typically, these tools function similarly: after purchasing a product or using a service, you may receive a request via email or on the website to submit a review. This usually involves a redirect to a review page where you can easily provide your feedback. Some platforms also offer integration with social media networks to make reviews more widely visible.

Why do we use Review Platforms?

Review platforms gather feedback and evaluations of our products and services. Your reviews allow us to quickly assess customer satisfaction and improve our offerings accordingly. These reviews help us improve our services and provide potential customers with a clear picture of the quality of our products and performance.

What Data is Processed?

With your consent, we transmit information about you and your purchased services to the respective review platform. This ensures that only actual customers can leave authentic reviews. The transferred data is solely used for user identification. The specific data processed depends on the platform in use but generally includes personal data such as your IP address, email address, and name. Order-related data, such as the order number, may also be shared after submitting a review. If your email address is shared, it allows the platform to send follow-up emails to request a review. To integrate reviews into our website, we may also share information about your visit to our website with the platform. The review platform is solely responsible for processing this data.

How Long and Where is the Data Stored?

Details regarding data retention can be found in the respective provider’s privacy policy listed below, where available. In general, we process personal data only for as long as is necessary to deliver our services. Personal data mentioned in a review is usually anonymized by the platform and only visible to the company’s administrators. The data is stored on the provider’s servers and typically deleted once the contract ends.

Right to Object

You have the right to withdraw your consent to the use of cookies and third-party tools at any time. This can be done via our cookie management tool or through other opt-out options. For example, you can also block cookie tracking by managing, disabling, or deleting cookies in your browser settings.

Legal Basis

If you have given consent for a review platform to be used, the legal basis for the processing of your personal data is this consent pursuant to Art. 6(1)(a) GDPR.

Additionally, we have a legitimate interest in using review platforms to improve our online services. The relevant legal basis in this case is Art. 6(1)(f) GDPR (Legitimate Interests). However, we only use these platforms if you have provided consent.

We hope this section has given you a clear overview of how review platforms process data. For further information, please refer to the detailed privacy policies of the specific providers listed below.

Explanation of Terms Used

We always strive to draft our Privacy Policy as clearly and understandably as possible. However, especially with technical and legal topics, this is not always easy. In many cases, it makes sense to use legal terms (such as personal data) or specific technical expressions (such as cookies or IP address). However, we aim to avoid using such terms without explanation. Below, you’ll find an alphabetical list of important terms we use in this Privacy Policy that may not have been sufficiently explained so far. Where these definitions are derived from the GDPR and correspond to legal terms, we also include the relevant legal wording and provide further clarifications if necessary.

Supervisory Authority

Definition according to Article 4 GDPR
“Supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51.

Explanation:
A supervisory authority is always a government-established, independent body that in certain cases also has authority to issue directives. They enforce regulatory oversight and are typically part of ministries or independent agencies. In Austria, there is a national Data Protection Authority; in Germany, each federal state has its own.

Processor

Definition according to Article 4 GDPR
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Explanation:
As a company and website operator, we are considered the controller of any personal data we process. In addition to the controller, there may be processors – companies or individuals that process data on our behalf. Examples include tax advisors, hosting or cloud providers, payment service providers, newsletter systems, or large corporations such as Google or Microsoft.

Concerned Supervisory Authority

Definition according to Article 4 GDPR
“Concerned supervisory authority” means a supervisory authority which is concerned by the processing of personal data because:

a) the controller or processor is established on the territory of that authority’s Member State;
b) the processing substantially affects or is likely to substantially affect data subjects residing in that Member State; or
c) a complaint has been lodged with that authority.

Explanation:
In Germany, each federal state has its own data protection authority. Therefore, if your company's headquarters are in Germany, the relevant authority is that of the corresponding state. In Austria, there is only one national authority for the entire country.

Biometric Data

Definition according to Article 4 GDPR
“Biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that person, such as facial images or dactyloscopic data.

Explanation:
These are biological attributes used to derive personal data using technical procedures. Examples include DNA, fingerprints, body geometry, body height, handwriting, or voice characteristics.

Filing System

Definition according to Article 4 GDPR
“Filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.

Explanation:
Any organized collection of data stored on a computer's storage device is considered a filing system. For example, when we store your name and email address on a server for our newsletter, this data resides within such a system. Its core purpose is efficient searching, finding, and secure storage of data.

Information Society Service

Definition according to Article 4 GDPR
“Information society service” means a service within the meaning of Article 1(1)(b) of Directive (EU) 2015/1535.

Explanation:
The term Information Society refers to a society based on information and communication technologies. As a website visitor, you interact with many such services daily. A typical example is conducting online transactions, such as buying goods over the internet.

Third Party

Definition according to Article 4 GDPR
“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Explanation:
The GDPR essentially defines a third party by exclusion. In practice, a third party is any entity interested in the data but not directly involved as listed above. For example, a parent company can be a third party, even though the subsidiary is the actual controller. This does not automatically grant the parent company access to or control over the data.

Restriction of Processing

Definition according to Article 4 GDPR
“Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future.

Explanation:
You have the right to request that your data be restricted from further processing. This means that specific personal data such as your name, date of birth, or address is flagged in a way that prevents it from being used in future processing activities. For instance, you might request that your data no longer be used for personalized advertising.

Consent

Definition according to Article 4 GDPR
"Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Explanation:
On websites, such consent is usually obtained via a cookie consent tool. You are likely familiar with this: when visiting a website for the first time, a banner typically appears asking whether you agree to data processing. Often, you can customize settings to decide which types of data processing you allow or reject. Without your consent, no personal data may be processed. Of course, consent can also be given in writing, not just via tools.

Recipient

Definition according to Article 4 GDPR
"Recipient" means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Explanation:
Any individual or company that receives personal data is considered a recipient. This includes us and our processors. Authorities with investigative powers under law are not considered recipients in this context.

Genetic Data

Definition according to Article 4 GDPR
"Genetic data" means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Explanation:
With appropriate effort, individuals can be identified through genetic data. For this reason, such data fall under the category of personal data. Genetic data may be obtained from blood or saliva samples, for example.

Health Data

Definition according to Article 4 GDPR
"Health data" means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Explanation:
Health data includes all stored information relating to your health, such as medications taken, x-ray images, your complete medical history, or vaccination status. These are often the same types of data found in patient records.

Cross-Border Processing

Definition according to Article 4 GDPR
"Cross-border processing" means either:

a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

Explanation:
For example, if a company has establishments in Spain and Croatia and processes personal data related to their operations, this constitutes cross-border processing. Even if data is processed in just one country (e.g., Spain), but has an effect on data subjects in another country (e.g., Croatia), it is still considered cross-border.

Main Establishment

Definition according to Article 4 GDPR
"Main establishment" means:

a) for a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing are taken in another establishment of the controller in the Union and that establishment has the power to have such decisions implemented, in which case the establishment having such decision-making power shall be considered to be the main establishment;
b) for a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities take place, provided that the processor is subject to specific obligations under this Regulation.

Explanation:
Take Google as an example. Although it is an American company and processes data in the U.S., its European main establishment is in Ireland (Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland). Therefore, it is considered a legally independent entity responsible for all Google services in the EEA. In contrast, branch offices do not qualify as legally independent establishments. A main establishment is the location where the core operations of a business entity take place.

International Organization

Definition according to Article 4 GDPR
"International organization" means an organization and its subordinate bodies governed by public international law or any other body which is set up by, or on the basis of, an agreement between two or more countries.

Explanation:
The most well-known international organizations include the European Union and the United Nations. The GDPR distinguishes between data transfers within the EU and those involving third countries or international organizations. Within the EU, data transfers are generally unproblematic since all Member States adhere to the same regulations. Transfers to third countries or international organizations, however, are subject to additional requirements.

Relevant and Reasoned Objection

Definition according to Article 4 GDPR
"Relevant and reasoned objection" means an objection to a draft decision as to whether there is an infringement of this Regulation or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free movement of personal data within the Union.

Explanation:
If we, as a controller, or our processors, take actions that do not align with the GDPR, you may lodge a relevant and reasoned objection. This must clearly outline the risks to your fundamental rights and freedoms, and potentially to the free movement of personal data within the EU.

Personal Data

Definition according to Article 4 GDPR
"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Explanation:
Personal data refers to all information that can identify you as an individual. These typically include:

Name
Address
Email address
Postal address
Telephone number
Date of birth
Identification numbers (e.g., social security number, tax ID, ID card number, student number)
Banking data (e.g., account numbers, credit information, account balances)

According to the Court of Justice of the European Union (CJEU), IP addresses also qualify as personal data, since IT professionals can determine the approximate location of a device—and thus identify the connection owner—via IP. Therefore, storing IP addresses requires a legal basis under the GDPR.

There are also so-called "special categories" of personal data that are particularly sensitive:

Racial and ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data (e.g., from blood or saliva samples)
Biometric data (e.g., voice, facial features, behavior)
Health data
Data concerning sexual orientation or sex life

Profiling

Definition according to Article 4 GDPR
"Profiling" means any form of automated processing of personal data consisting of the use of such data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Explanation:
Profiling involves compiling various pieces of information about a person to better understand or predict behavior. In online contexts, profiling is often used for advertising or credit scoring. Web analytics tools, for example, analyze your behavior and interests on websites to create a user profile, which can then be used to serve targeted ads.

Pseudonymisation

Definition according to Article 4 GDPR
"Pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Explanation:
In our privacy policy, we often refer to pseudonymised data. Such data cannot be linked to a specific individual unless additional information is available. Pseudonymisation should not be confused with anonymisation. Anonymised data has no connection to a person and can only be traced back with disproportionate effort.

Enterprise

Definition according to Article 4 GDPR
"Enterprise" means a natural or legal person engaged in an economic activity, regardless of its legal form, including partnerships or associations regularly engaged in an economic activity.

Explanation:
We, for example, are an enterprise conducting economic activity through our website by offering and selling products and/or services. Every enterprise is associated with a legal entity, such as a GmbH or AG.

Group of Undertakings

Definition according to Article 4 GDPR
"Group of undertakings" means a controlling undertaking and its controlled undertakings.

Explanation:
A group of undertakings is a legal and financial structure of multiple related enterprises under common control. For instance, Instagram, WhatsApp, Oculus VR, and Facebook are distinct companies but operate under the parent company Meta Platforms, Inc.

Controller

Definition according to Article 4 GDPR
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Explanation:
In our case, we are the controller responsible for processing your personal data. If we transfer this data to service providers, they act as processors. A Data Processing Agreement (DPA) must be signed in such cases.

Processing

Definition according to Article 4 GDPR
"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Note:
When we refer to "processing" in this privacy policy, we mean all types of operations involving personal data—as listed above—including collection, storage, and use.

Binding Corporate Rules

Definition according to Article 4 GDPR
"Binding corporate rules" means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or sets of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings or group of enterprises engaged in a joint economic activity.

Explanation:
You may have heard the term "Binding Corporate Rules" (BCRs). This refers to internal data protection policies, especially useful for companies like Google that transfer data to third countries. BCRs establish rules for handling personal data outside the EU, ensuring GDPR-compliant protection.

Personal Data Breach

Definition according to Article 4 GDPR
"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Explanation:
A breach might occur due to technical issues or cyberattacks. If the breach poses a risk to individuals' rights and freedoms, it must be reported immediately to the supervisory authority. If the risk is high, affected individuals must also be informed.

Representative

Definition according to Article 4 GDPR
"Representative" means a natural or legal person established in the Union who has been designated in writing by the controller or processor pursuant to Article 27 and represents the controller or processor with regard to their respective obligations under this Regulation.

Explanation:
A “representative” is a person or entity officially appointed in writing by us (as controller) or one of our service providers (as processor). Companies located outside the EU that process personal data of EU citizens are required to appoint a representative within the EU. For example, if a web analytics provider is based in the USA, it must designate a representative within the EU who is responsible for data protection compliance under the GDPR.

Closing Statement

Congratulations! If you’re reading this, you’ve either thoroughly worked your way through our entire privacy policy or at least scrolled all the way down. As you can see from the length and detail of this document, we take the protection of your personal data very seriously.

It is important to us to inform you as transparently as possible about how we process personal data. We don’t just want to tell you what data we process, but also why we use various software tools.

Privacy policies are usually written in highly technical and legal language. Since most of our visitors are neither web developers nor lawyers, we’ve chosen a more approachable tone to explain things as clearly and simply as possible. Of course, due to the nature of the subject, it’s not always possible to avoid technical language entirely. That’s why we’ve included a glossary of the most important terms at the end of this policy.

If you have any questions regarding data protection on our website, please don’t hesitate to contact us or the responsible supervisory authority.

We wish you all the best and hope to welcome you back on our website soon!

All texts are protected by copyright.

This privacy policy was created using the Data Protection Generator for Austria by AdSimple.

Privacy policy

Privacy Policy

(Version: May 2, 2025)

Table of Contents

Introduction and Overview

Scope of Application

Legal Bases

Contact Details of the Controller

Data Retention Period

Rights According to the General Data Protection Regulation

Data Transfers to Third Countries

Security of Data Processing

TLS Encryption via HTTPS

Communication

Telephone

Email

Online Forms

Legal Bases

Data Processing Agreement (DPA)

Who Are Data Processors?

Content of a Data Processing Agreement

Cookies

What are cookies?

What types of cookies are there?

Purpose of Cookie Processing

What data is processed?

Retention Period of Cookies

Right to Object – How Can I Delete Cookies?

Legal Basis

Web Hosting Introduction

What is Web Hosting?

Why Do We Process Personal Data?

What Data Is Processed?

How Long Is the Data Stored?

Legal Basis

External Web Hosting Provider – Privacy Policy

Web Analytics Introduction

What is Web Analytics?

Why Do We Use Web Analytics?

What Data Is Processed?

How Long Is the Data Stored?

Duration of Processing

Right to Object

Legal Basis

Google Analytics Privacy Policy

What is Google Analytics?

How Does Google Analytics Work?

What Reports Does Google Provide?

What Data Does Google Analytics Store?

Cookie Examples:

What Types of Data Are Collected?

Where and How Long Are Data Stored?

How Can I Delete or Prevent Data Storage?

Legal Basis

Data Transfers to the USA

Data Processing Agreement (DPA) with Google Analytics

🧪 Google Optimize Privacy Policy

Data Processing Agreement (DPA) for Google Optimize

Google Site Kit Privacy Policy

Summary of Google Site Kit Data Processing

What is Google Site Kit?

Why do we use Google Site Kit?

What data is collected by Google Site Kit?

Where and how long are the data stored?

How can I delete or prevent data collection?

Legal Basis

Data Transfers to the USA

Further Information

Meta Conversions API Privacy Policy

Summary of Meta Conversions API Data Processing

What is the Meta Conversions API?

Why do we use the Meta Conversions API?

What data is collected by the Meta Conversions API?

Where and how long is the data stored?

How can I delete or block the data collection?

Legal Basis

Data Transfers to the USA

Further Information

Pinterest Web Analytics Privacy Policy

Summary