Managing Directors: Simon Kemper, Lukas Klein
Contact: Phone: +49 (0) 2564 99970 10 – email: ed.ekacatad%40ollah
Types of Data Processed
Inventory data (e.g., personal master data, names or addresses).
Contact data (e.g. email, phone numbers).
Content data (e.g., text input, images, videos).
Usage data (e.g., websites visited, interest in content, access times).
Meta/communication data (e.g., device information, IP addresses
Categories of Data Subjects
Visitors and users of the online offer (hereafter referred to collectively as „users“).
Purpose of Processing
Provision of the online offer, its functions and contents.
To answer contact requests and to communicate with users.
„Personal data“ means any information relating to an identified or identifiable natural person (hereafter „data subject“). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
„Processing“ means any operation or set of operations which is performed on personal data or on sets of personal data. This term is wide-ranging and covers practically every type of data handling.
„Pseudonymization“ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
„Profiling“ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
„Controller“ means the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
„Processor“ means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.
Applicable Legal Framework
According to Article 13 GDPR, we herewith inform you about the legal basis of our data processing. The following applies to users within the jurisdiction of the General Data Protection Regulation (GDPR), i.e. the EU and the EEC, unless the legal basis is mentioned in the data protection declaration:
The legal basis for obtaining consent is Article 6 (1) a and Article 7 GDPR respectively. The legal basis for the processing for the fulfillment of our services and the implementation of contractual measures as well as the answering of inquiries is Article 6 (1) b GDPR;
The legal basis for the processing for the fulfillment of our legal obligations is Article 6 (1) c GDPR;
If vital interests of the data subject or another natural person necessitate the processing of personal data, Article 6 (1) GDPR shall serve as the legal basis.
The legal basis for the processing which is required for the performance of a task carried out in the public interest or in exercising official authority entrusted to the controller is Article 6 (1) e GDPR.
The legal basis for the processing to protect our legitimate interests is Article 6 (1) f GDPR. The processing of data for purposes other than those for which they were collected is governed by the provisions of Article 6 (4) GDPR. The processing of special categories of personal data (according to Article 9 (1) GDPR) is governed by the provisions of Article 9 (2) GDPR.
We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the respective likelihood of occurrence and severity of the risk towards the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
Such measures shall include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical access, input, disclosure, protection and separation of data. We have also established procedures to ensure compliance with the rights of data subjects, deletion of data and reaction to data threats. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and processes, under the principle of data protection through technology design and data protection-friendly default settings.
Cooperation with Processors, Joint Managers and Third Parties
Insofar as we disclose data to other persons and companies (contract processors, jointly responsible persons or third parties) within the scope of our processing, transmit data to them or otherwise grant them access to the data, this shall only take place based on legal permission (e.g. if transmission of the data to third parties, such as payment service providers, is necessary for the performance of the contract), if users have consented, if a legal obligation stipulates it, or based on our legitimate interests (e.g. when using agents, web hosts).
Where we disclose, transfer or otherwise grant access to data to other companies in our group of companies, this is done in particular for administrative purposes as a legitimate interest and beyond that based on legal requirements.
Transfers to Third Countries
If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation), if we do so as part of the use of third-party services, or if we disclose or transfer data to other persons or companies, it will only take place for the fulfillment of our (pre)contractual obligations, based on your consent, on a legal obligation or to satisfy our legitimate interests. Notwithstanding explicit consent or transfer as required by contract, we only process data or allow data to be processed in those third countries with a recognized level of data protection, including US processors certified under the „Privacy Shield“, or based on individual guarantees, such as a contractual obligation through so-called standard protection clauses of the EU Commission, the existence of certifications or binding internal data protection regulations (Article 44 to 49 GDPR, information page of the EU Commission):
Rights of Data Subjects
You are entitled to request confirmation as to whether the data in question will be processed, to obtain information about this data as well as further information and a copy of the data following legal requirements.
In accordance with legal requirements, you are entitled to request the completion of data or correction of incorrect data concerning you.
In accordance with the Iegal requirements, you are entitled to demand deletion of the relevant data without delay or to demand processing restrictions.
You are entitled to demand to receive the data concerning you, which you have made available to us, under the legal requirements and to demand its transfer to other responsible persons.
You are also entitled to file a complaint with the competent supervisory authority under the legal provisions.
Right of Withdrawal
You have the right to revoke any consent you have given with effect for the future.
Right of Objection
At any time, you may object to the future processing of the data concerning you in accordance with the statutory provisions. The objection may, in particular, be lodged against handling for direct marketing.
Cookies and Right to Object to Direct Advertising
„Cookies“ are small files that are stored on the user’s computer device. Different data can be stored within the cookies. A cookie is primarily used to store information about a user (or about the device on which the cookie is stored) during or after the user’s visit to an online service. Temporary cookies (also „session cookies“ or „transient cookies“) are cookies that are deleted after a user leaves an online offer and closes the browser. Such cookies can, for example, store the content of a shopping basket in an online shop or a login status. Cookies are referred to as „permanent“ or „persistent“ if they remain stored even after the browser is closed. As an example, the login status can be saved until a user visits it again several days later. The user’s interests that are used for range measurement or marketing purposes can also be stored in such a cookie.
„Third-Party-Cookie“ are cookies that are offered by other providers than the responsible person who operates the online service (otherwise, when they are solely cookies of the person responsible for the online service, this is referred to as „First-Party Cookies“).
If users do not wish cookies to be stored on their computer device, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can also be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.
Deletion of Data
If the data are not deleted because they are required for legally permissible or other purposes, their processing will be restricted. I.e. the data will be blocked and not processed for other purposes. This, for example, applies to data that must be stored for commercial or tax reasons.
Additionally, we process
Contract data (e.g. contract object, duration, customer category).
Payment data (e.g. bank details, payment history)
of our customers, interested parties and business partners to provide contractual services, customer service and care, marketing, advertising and market research.
External Payment Service Providers
For the fulfillment of contracts, we use the payment service providers based on Article 6 (1) b GDPR. Moreover, we use external payment service providers based on our legitimate interests under Article 6 (1) f GDPR to offer our users effective and secure payment options.
Google Cloud Services
We utilize Google’s cloud and cloud software services (software as a service, such as Google Suite) for the following purposes: storing and managing documents, managing calendars, sending emails, spreadsheets and presentations, exchanging documents, content and information with specific recipients or publishing web pages, forms or other content and information, as well as chatting and participating in audio and video conferences.
Here, the users‘ personal data are processed insofar as they become part of the documents and contents processed within the described services or are part of communication processes. This may include user master data and contact data, process data, contracts, further processes and their contents. Google also processes usage data and metadata used by Google for security and service optimization purposes.
In the context of using publicly accessible documents, websites or other content, Google may store cookies on the user’s computer device to enable web analysis or to remember user preferences.
We make use of the Google Cloud services based on our legitimate interests according to Article 6 (1) f GDPR for efficient and secure administrative and cooperation processes. Furthermore, the processing takes place under a commissioned-processing contract with Google (https://cloud.google.com/terms/data-processing-terms).
For more information, visit Google’s privacy statement (https://www.google.com/policies/privacy) and Google Cloud Services Security Notes (https://cloud.google.com/security/privacy/). You can object to the processing of your data in the Google Cloud under the legal requirements. Otherwise, the respective processing steps shall determine the deletion of data within Google’s cloud services within the framework of which the data is processed (e.g. removal of data is no longer required for contractual purposes, storage for purposes of taxation of data needed).
Google Cloud services are offered by Google Ireland Limited. As far as a transmission to the USA takes place, we refer to the certification of Google USA under the Privacy Shield (https://www.privacyshield.gov/participant?id=a2zt0000000000001L5AAI&status=Active) as well as their standard protection clauses (https://cloud.google.com/terms/data-processing-terms).
Users can create a user account. During registration, the required mandatory data will be communicated to the users and processed based on Article 6 (1) b GDPR for the provision of the user account. The processed data include, in particular, the login information (name, password and an email address). The data entered during registration will be utilized for the intended use of the user account.
Users may be informed by email about information relevant to their user account, such as technical changes. If users have terminated their user account, their data will be deleted concerning the user account, subject to statutory retention obligations. It is the users‘ responsibility to secure their data before the end of the contract in the event of termination. We are entitled to irrevocably delete all user data stored during the term of the agreement.
As part of the use of our registration and login functions as well as the usage of the user account, we store the IP address and the time of particular user activities. The storage is based on our legitimate interests as well as the user’s protection against misuse and other unauthorized use. A transfer of these data to third parties does not take place unless it is necessary to pursue our entitlements or there is a legal obligation under Article 6 (1) c GDPR. The IP addresses are anonymized or deleted after seven days at the latest.
When making contact with us (e.g. via a contact form, email, telephone or via social media), the user’s details are used for processing the contact inquiry under Article 6 (1) b (for contractual and pre-contractual relationships), Article 6 (1) f GDPR (other requests). The user data may be stored in a Customer Relationship Management System („CRM System“) or similar tools.
We will delete the requests if they are no longer required. We review the necessity every two years. Furthermore, the respective statutory archiving obligations shall apply.
Zendesk CRM System
We rely on the CRM system „Zendesk“ by Zendesk, Inc., 989 Market Street #300, San Francisco, CA 94102, USA, to process user inquiries faster and more efficiently (justified interest according to Article 6 (1) f GDPR).
Zendesk is certified under the Privacy Shield Agreement, providing an additional guarantee of compliance with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt0000000TOjeAAG&status=Active).
Zendesk uses user data only for the technical processing of inquiries and does not pass them on to third parties. To use Zendesk, users must provide at least a correct email address. Pseudonymous use is possible. During the processing of service requests, it may be necessary to collect more data (name, address).
Should a user disagree with the collection and storage of data in Zendesk’s external system, we may provide alternative contact options for submitting service requests by email, telephone, fax or mail.
Newsletter content: We send newsletters, emails and other electronic notifications containing advertising information (hereafter referred to as „Newsletter“) with the consent of the recipient only or with respective legal permission. Insofar as the newsletter’s contents are clearly described within the scope of the service registration, they are authoritative for the user’s consent. In general, our newsletters contain information about us and our services.
Double-Opt-In and logging: Registration to our newsletter takes place in a so-called Double-Opt-In procedure. I.e. Upon registration, you will receive an email asking you to confirm your registration. This confirmation is required to ensure that no one can register with someone else’s email address. The newsletter registrations are logged to be able to track the registration process in line with legal requirements. This includes storing the login and confirmation times as well as the IP address. Likewise, any data changes stored by the shipping service provider will be logged.
Registration details: To subscribe to the newsletter, it is sufficient to enter your email address. We optionally ask you to provide your name in the newsletter to address you personally.
The newsletter will be sent, and the associated performance measurement will be carried out based on the recipient’s consent under Article 6 (1) a and Art. 7 GDPR in conjunction with § 7 (2) No. 3 Unfair Competition Act (UWG) or, if consent is not required, based on our legitimate interests in direct marketing according to Article 6 (1) f GDPR in conjunction with § 7 (3) UWG.
The logging of the registration procedure will be carried out under our legitimate interests under Article 6 (1) f GDPR. We are committed to providing a user-friendly and secure newsletter system that serves our business interests, meets users‘ expectations and allows us to provide evidence of consent.
Cancellation/Revocation – You can cancel the receipt of our newsletter, i.e. revoke your consent, at any time. You will find a link to cancel the newsletter in the footer of each newsletter. We may store the unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to prove prior consent. This data will only be processed in the event of a possible defense against claims. An individual deletion request is possible at any time, subject to confirmation of a former consent.
Newsletter – Mailchimp
The dispatch service provider may use the recipient’s data in a pseudonymous form, i.e. without allocation to a user, to optimize or improve its services, e.g. for technical optimization of the dispatch and presentation of the newsletter or statistical purposes. However, the shipping service provider does not use the data of our newsletter recipients to write to them themselves or to pass the data on to third parties.
Hosting and Emailing
The hosting services used by us are intended to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, email dispatch, security services and technical maintenance services which we use to operate this online service.
We, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this online service based on our legitimate interests in the efficient and secure provision of this online service in accordance with Article 6 (1) f GDPR in conjunction with Art. 28 GDPR (conclusion of commissioned-processing contracts).
Collection of Access Data and Log Files
We, and/or our hosting provider, collect data based on our legitimate interests in the meaning of Article 6 (1) f GDPR about each access to the server on which this service is located (so-called server log files). This includes the name of the website accessed, the file name, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address as well as the requesting provider.
Log file information is stored for security reasons (e.g. for the clarification of abuse or fraud actions) for the duration of up to seven days and then deleted. Any data required for further storage to substantiate claims shall not be removed until the particular incident has been finally clarified.
Cloudflare’s Content Delivery Network
We use a so-called „Content Delivery Network“ (CDN), offered by Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. Cloudflare is certified under the Privacy Shield Agreement and thus provides a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnZKAA0&status=Active).
CDN is a service which helps us to speed up content delivery of our online service (in particular large media files such as graphics or scripts) with the help of regionally distributed servers on the Internet. The processing of user data is carried out solely for the aforementioned purposes and to maintain the security and the functionality of the CDN.
The use is based on our legitimate interests, i.e. interest in a secure and efficient provision, analysis and optimization of our online offer according to Article 6 (1) f GDPR.
Functional Software, Inc Sentry – Server Monitoring and Error Tracking
With the help of server monitoring and error tracking, we ensure the availability and integrity of our online service and use the data processed thereby to improve our online service technically.
For these purposes, we use the service Functional Software INC, dba Sentry, 132 Hawthorne Street, San Francisco, CA 94107, USA. Sentry is certified under the Privacy Shield Agreement, providing a guarantee of compliance with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt0000000TNDzAAO&status=Active).
Functional Software, Inc. processes aggregated performance data, i.e. performance, utilization and comparable technical values, which provide information about the stability and possible peculiarities of our online offering. In the event of errors and anomalies, individual inquiries from users of our online service are recorded pseudonymously to identify and eliminate sources of problems. In this case, pseudonym means in particular that the IP addresses of the users are shortened by the last two digits (so-called IP masking). The aggregated data are deleted after three months, the pseudonymized data after seven days.
We use Functional Software, Inc. by our legitimate interests in the security, accuracy and optimization of our online services under Article 6 (1) f GDPR.
For more information about Functional Software, Inc.’s processing of personal data,
Google may use this information on our behalf to evaluate the use of our website by users, to compile reports on the activities within this website and to provide us with additional services relating to the use of this website and the Internet. Pseudonymous user profiles may be created from the processed data.
We only use Google Analytics with IP anonymization enabled. This means that Google will shorten the user’s IP address of the within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.
The IP address transmitted by the user’s browser is not merged with other Google data. Users may also prevent the collection of data by Google generated by the cookie and relating to the use of the website as well as the processing of such data by Google by downloading and installing the browser plug-in available under the following link:
When asking users for their consent (e.g. in the context of a cookie agreement), such processing is based on Article 6 (1) a GDPR. Otherwise, the users‘ personal data will be processed based on our legitimate interests (i.e. interest in the analysis, optimization and economical operation of our online offer under the terms of Article 6 (1) f GDPR).
As far as data are processed in the USA, we refer to the fact that Google is certified under the Privacy Shield agreement and thereby pledged to observe the European data protection law
the display of advertising (https://adssettings.google.com/authenticated).
The users‘ personal data will be deleted or anonymized after 14 months.
Online Presence in Social Media
We maintain an online presence within social networks and platforms to be able to communicate with customers, interested parties and users who are active there and to inform them about our services.
We want to point out that user data may be processed outside the European Union. This may entail risks for users, e.g. by making it more challenging to enforce users‘ rights. To US vendors certified under the Privacy Shield, we refer to the providers‘ pledge to comply with EU privacy standards.
Furthermore, user data is usually processed for market research and advertising purposes. For example, user profiles can be created from user behavior and the resulting interests of users. In turn, such user profiles can be used, for example, to place advertisements within and outside the platforms that are presumed to correspond to the interests of users. For these purposes, cookies are usually stored on the user’s computer, in which the user’s browsing habits and interests are stored. Furthermore, data can be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).
The processing of the users‘ personal data is carried out based on our legitimate interests in the adequate provision of information to users and in communication with users in according to Article 6 (1) If the users are requested by the respective platform providers to consent to the data processing described above, the legal foundation of the processing is Article 6 (1) a and Art. 7 GDPR. For a detailed explanation of the respective processing and the opt-out options, we refer to the provider details below.
Similarly, concerning requests for information and the enforcement of user rights, we advise you that these can be enforced most effectively with the respective providers directly. Only the providers have access to the users‘ data and can directly take appropriate measures or provide information. If you still need help, please do not hesitate to contact us.
Opt-Out: Privacy Shield:
Integration of Third-Party Services and Content
We use content or service offers from third parties within our online offer based on our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Article 6 (1) f GDPR) in order to integrate their content and services, such as videos or fonts (hereafter uniformly referred to as „content“).
To do so, it is always assumed that the third-party providers of this content recognize the IP address of the user since they would not be able to send the content to their browser without the IP address. The IP address is therefore required for the presentation of these contents. We strive to use only those contents, whose respective providers use the IP address solely for the distribution of the contents. Third parties may also use so-called pixel tags (invisible graphics, also known as „web beacons“) for statistical or marketing purposes. The „pixel tags“ can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may include technical information about the browser and operating system, referring websites, visit times and other information about the use of our site, and may also be linked to such information from other sources.