Privacy Policy for ZAITRUS

Data Protection Information pursuant to German data protection laws

Table of contents

1. Preamble

With the following Privacy Policy, we would like to inform you about the types of personal data (hereinafter also referred to as “data”) that we process, for what purposes, and to what extent. This Privacy Policy applies to all processing activities involving personal data carried out by us, both in the course of providing our services and, in particular, on our websites, mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”).

The terms used in this Privacy Policy are gender-neutral.

Last updated: December 3, 2025

2. Responsible party

Valentin Meiler
ZAITRUS GmbH
Alexanderstraße 2
95444 Bayreuth

E-Mail-Adresse:

valentin.meiler@zaitrus.de

Impressum: https://www.zaitrus.de/impressum/

3. Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes of their processing, and refers to the categories of data subjects concerned.

Types of Data Processed

  • Inventory data.
  • Location data.
  • Contact data.
  • Content data.
  • Usage data.
  • Meta, communication, and procedural data.

Categories of Data Subjects

  • Communication partners.
  • Users.

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations.
  • Contact requests and communication.
  • Security measures.
  • Measurement of reach (analytics).
  • Administration and response to inquiries.
  • Feedback.
  • Marketing.
  • User-related profiles.
  • Provision of our online offering and user-friendliness.
  • Information technology infrastructure.

4. Applicable Legal Bases

Applicable legal bases under the GDPR (DSGVO): Below you will find an overview of the legal bases under the General Data Protection Regulation (GDPR) on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your country of residence or in our country of establishment. Where more specific legal bases are applicable in individual cases, we will inform you of these in this Privacy Policy.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided that such interests are not overridden by the interests, fundamental rights, and freedoms of the data subject which require the protection of personal data.

National data protection regulations in Germany: In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. These include, in particular, the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific provisions, in particular, regarding the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, as well as the transfer of data and automated decision-making in individual cases, including profiling. In addition, the data protection laws of the individual German federal states may apply.

Note on the applicability of the GDPR and the Swiss Federal Act on Data Protection (Swiss FADP): This Privacy Policy serves to provide information both pursuant to the Swiss Federal Act on Data Protection (FADP) and pursuant to the GDPR. For this reason, and due to the broader territorial scope and international comprehensibility, the terminology of the GDPR is used throughout this Privacy Policy. In particular, instead of the terms used in the Swiss FADP such as “processing” of “personal data,” “overriding interest,” and “sensitive personal data,” the terms used in the GDPR—namely “processing” of “personal data,” “legitimate interest,” and “special categories of data”—are applied. However, the legal meaning of these terms continues to be determined in accordance with the Swiss FADP where it is applicable.

5. Security Measures

In accordance with the statutory requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access related to data entry, transfer, availability, and separation. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data security incidents. In addition, we take data protection into account as early as the development or selection of hardware, software, and processes, in accordance with the principles of data protection by design and data protection by default.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services against unauthorized access, we use Transport Layer Security (TLS) / Secure Sockets Layer (SSL) encryption technology. SSL and TLS are fundamental technologies for secure data transmission on the internet. These technologies encrypt the information transmitted between a website or application and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure successor to SSL, ensures that all data transmissions comply with the highest security standards. A website secured with an SSL/TLS certificate can be identified by the use of “HTTPS” in the URL. This serves as an indicator to users that their data is transmitted securely and in encrypted form.

6. Transfer of Personal Data

In the course of processing personal data, it may occur that such data is transferred to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of such data may include, for example, service providers entrusted with IT-related tasks or providers of services and content integrated into a website. In such cases, we comply with the applicable legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of the data to ensure the protection of your personal data.

Data transfers within the organization and within the corporate group: We may transfer personal data to other companies within our corporate group or grant them access to such data. Where such data transfers take place for administrative purposes, they are based on our legitimate business and operational interests. Alternatively, such transfers may occur where they are necessary for the performance of our contractual obligations, where the data subjects have given their consent, or where a legal authorization applies.

7. Deletion of data

The data we process will be deleted in accordance with legal requirements as soon as the consent for processing is revoked or other permissions cease to apply (e.g., if the purpose of processing this data no longer applies or it is not necessary for the purpose). If the data is not deleted because it is required for other, legally permissible purposes, its processing will be restricted to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person. Our privacy policy may also contain further information on the storage and deletion of data that takes precedence for the respective processing operations.

8. Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you are entitled to the following rights under the General Data Protection Regulation (GDPR), in particular pursuant to Articles 15 to 21 GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out on the basis of Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. Where personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to the processing of your personal data for such marketing purposes; this also applies to profiling insofar as it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw your consent at any time.
  • Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed and, where that is the case, access to the personal data as well as further information and a copy of the data in accordance with the statutory requirements.
  • Right to rectification: In accordance with the statutory requirements, you have the right to request the completion of incomplete personal data concerning you or the correction of inaccurate personal data.
  • Right to erasure and restriction of processing: You have the right, in accordance with the statutory requirements, to request the immediate deletion of personal data concerning you or, alternatively, to request the restriction of the processing of such data.
  • Right to data portability: You have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, or to request the transmission of such data to another controller, in accordance with the statutory requirements.
  • Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the provisions of the GDPR.

9. Provision of the Online Offering and Web Hosting

We process users’ data in order to provide our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or end device.

  • Types of data processed: Usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status); content data (e.g., entries in online forms).
  • Categories of data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices such as computers and servers); security measures.
  • Legal basis: Legitimate interests (Article 6(1)(f) GDPR).

Additional Information on Processing Activities, Procedures, and Services

  • Provision of the online offering via rented hosting resources: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a server provider (so-called “web hoster”); Legal basis: Legitimate interests (Article 6(1)(f) GDPR).
  • Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files.” These server log files may include the address and name of the accessed websites and files, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. Server log files are used, on the one hand, for security purposes (e.g., to prevent server overload, particularly in the case of abusive attacks such as DDoS attacks) and, on the other hand, to ensure server utilization and stability; Legal basis: Legitimate interests (Article 6(1)(f) GDPR). Data deletion: Log file information is stored for a maximum period of 30 days and is then deleted or anonymized. Data that must be retained for evidentiary purposes is excluded from deletion until the respective incident has been fully clarified.
  • Email sending and hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, the addresses of recipients and senders, as well as further information related to email transmission (e.g., the involved service providers), and the content of the respective emails are processed. The aforementioned data may also be processed for the purpose of detecting spam. Please note that emails sent via the internet are generally not fully encrypted. While emails are typically encrypted during transmission, they are not encrypted on the servers from which they are sent and received unless end-to-end encryption is used. Therefore, we cannot assume responsibility for the transmission path of emails between the sender and receipt on our server; Legal basis: Legitimate interests (Article 6(1)(f) GDPR). Legal basis: Legitimate interests (Article 6(1)(f) GDPR).

10. Use of Cookies

Cookies are small text files or other storage records that store information on end devices and read information from them. For example, cookies may be used to store the login status in a user account, the contents of a shopping cart in an online shop, or the accessed content and functions of an online offering. Cookies may also be used for various purposes, such as ensuring functionality, security, and convenience of online services, as well as for analyzing visitor traffic.

Information on Consent: We use cookies in accordance with statutory provisions. Therefore, we obtain prior consent from users unless consent is not required by law. Consent is not required in particular if the storage and retrieval of information — including cookies — is strictly necessary in order to provide users with a telemedia service explicitly requested by them (i.e., our online offering). Revocable consent is clearly communicated to users and includes information about the respective cookie usage.

Information on Data Protection Legal Bases: The legal basis under data protection law for processing users’ personal data using cookies depends on whether we request consent. If users provide consent, the legal basis for processing their data is that consent. Otherwise, the data processed through cookies is handled on the basis of our legitimate interests (e.g., in the economic operation of our online offering and improving its usability), or — where applicable — in order to fulfill our contractual obligations, if the use of cookies is necessary to perform those obligations. The purposes for which we use cookies are explained in this privacy policy or as part of our consent and processing procedures.

Storage Duration: With regard to storage duration, the following types of cookies are distinguished:

  • Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest when a user leaves an online offering and closes their end device (e.g., browser or mobile application).
  • Persistent cookies: Persistent cookies remain stored even after the end device is closed. For example, the login status may be saved and preferred content displayed immediately when the user revisits a website. In addition, usage data collected via cookies may be used for reach measurement. Unless users are explicitly informed otherwise about the type and storage duration of cookies (e.g., during the consent process), they should assume that cookies are persistent and that their storage duration may be up to two years.

General Information on Withdrawal and Objection (Opt-Out): Users may revoke any consent they have given at any time and may also object to the processing of their personal data in accordance with statutory requirements, including by using the privacy settings of their browser.

  • Legal basis: Legitimate interests (Article 6(1)(f) GDPR); Consent (Article 6(1)(a) GDPR).

Additional Information on Processing Activities, Procedures, and Services

  • Processing of cookie data based on consent: We use a consent management solution through which users’ consent for the use of cookies or for the procedures and service providers specified within the consent management solution is obtained. This procedure serves to obtain, document, manage, and revoke consent, particularly with regard to the use of cookies and comparable technologies used to store, read, and process information on users’ end devices. Within this process, users’ consent for the use of cookies and the associated processing of information — including the specific processing operations and service providers named in the consent management process — is obtained. Users also have the option to manage and withdraw their consent at any time. Consent declarations are stored in order to avoid repeated requests and to provide proof of consent in accordance with legal requirements. Storage takes place server-side and/or in a cookie (so-called opt-in cookie) or via comparable technologies in order to associate the consent with a specific user or their device. If no specific information about the providers of consent management services is available, the following general information applies: consent is stored for up to two years. In this process, a pseudonymous user identifier is created and stored together with the time of consent, information on the scope of consent (e.g., affected categories of cookies and/or service providers), as well as information about the browser, system, and end device used. Legal basis: Consent (Article 6(1)(a) GDPR).
  • Complianz – Consent management: Consent management solution for obtaining, documenting, managing, and revoking consent, in particular for the use of cookies and similar technologies for storing, reading, and processing information on users’ end devices and for the associated processing activities.

    Service provider: Execution on servers and/or computers under its own data protection responsibility; Website: https://complianz.io/Privacy policy: https://complianz.io/legal/ 
    Further information: An individual user ID, language, types of consent, and the time consent was given are stored server-side and in a cookie on the user’s device.

11. Blogs and Publication Media

We use blogs or comparable means of online communication and publication (hereinafter referred to as “publication media”). Readers’ data is processed for the purposes of the publication media only to the extent necessary for its presentation and for communication between authors and readers, or for security reasons. Otherwise, we refer to the information on the processing of visitors to our publication media contained in this privacy policy.

  • Types of data processed: Usage data (e.g., names, addresses); contact data (e.g., email addresses, phone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Categories of data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; feedback (e.g., collection of feedback via online forms); provision of our online offering and user-friendliness.
  • Legal basis: Legitimate interests (Article 6(1)(f) GDPR).

12. Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, telephone, or via social media), as well as within the context of existing user and business relationships, the information provided by the inquiring persons is processed to the extent necessary to respond to the contact inquiries and any requested actions.

  • Types of data processed: Contact data (e.g., email addresses, phone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Categories of data subjects: Communication partners.
  • Purposes of processing: Handling contact inquiries and communication; administration and response to inquiries; feedback (e.g., collection of feedback via online forms); provision of our online offering and user-friendliness.
  • Legal basis: Legitimate interests (Article 6(1)(f) GDPR); Performance of a contract and pre-contractual inquiries (Article 6(1)(b) GDPR).

Additional Information on Processing Activities, Procedures, and Services

  • Contact form: When users contact us via our contact form, email, or other communication channels, we process the data transmitted in this context for the purpose of handling the stated request; Legal basis: Performance of a contract and pre-contractual inquiries (Article 6(1)(b) GDPR); legitimate interests (Article 6(1)(f) GDPR).

13. Web Analytics, Monitoring, and Optimization

Web analytics (also referred to as “reach measurement”) is used to evaluate visitor traffic on our online offering and may include pseudonymous information about visitors’ behavior, interests, or demographic characteristics, such as age or gender. Using reach analysis, we can, for example, identify the times at which our online offering or its functions and content are most frequently used or encourage reuse. It also enables us to determine which areas require optimization.

In addition to web analytics, we may also use testing procedures, such as A/B testing, to test and optimize different versions of our online offering or individual components thereof.

Unless otherwise stated below, profiles — meaning data aggregated for a specific usage process — may be created for these purposes, and information may be stored in a browser or on an end device and subsequently accessed. The data collected includes, in particular, visited websites and the elements used there, as well as technical information such as the browser used, the operating system, and usage times. If users have consented to the collection of their location data either to us or to the providers of the services we use, the processing of location data is also possible.

In addition, users’ IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by truncating the IP address) to protect users. As a general rule, no directly identifiable data (such as email addresses or names) is stored as part of web analytics, A/B testing, and optimization processes; instead, pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of users, but only the information stored in their profiles for the respective processing purposes.

Information on Legal Bases: If we request users’ consent for the use of third-party providers, the legal basis for data processing is consent. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e., an interest in providing efficient, economically viable, and user-friendly services). In this context, we also refer to the information on the use of cookies contained in this privacy policy.

  • Types of data processed: Usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Categories of data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles); provision of our online offering and user-friendliness.
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal basis: Consent (Article 6(1)(a) GDPR).

Additional Information on Processing Activities, Procedures, and Services

  • Google Analytics: We use Google Analytics to measure and analyze the use of our online offering on the basis of a pseudonymous user identification number. This identification number does not contain any directly identifiable data such as names or email addresses. It is used to assign analysis information to an end device in order to determine which content users have accessed during one or more usage sessions, which search terms they have used, whether they have revisited content, or how they have interacted with our online offering. In addition, the time and duration of use, the sources from which users access our online offering, and technical aspects of users’ end devices and browsers are stored.
    Pseudonymous user profiles may be created using information from the use of multiple devices, and cookies may be used for this purpose. Google Analytics does not log or store individual IP addresses for users within the European Union. However, Analytics provides coarse geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, and subcontinent (including ID-based equivalents). For EU data traffic, IP address data is used exclusively for deriving these geolocation data and is immediately deleted thereafter. It is not logged, is not accessible, and is not used for any other purposes. When Google Analytics collects measurement data, all IP queries are carried out on EU-based servers before the traffic is forwarded to Analytics servers for processing. Service provider:
    Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

    Legal basis: Consent (Article 6(1)(a) GDPR).

    Website: https://marketingplatform.google.com/intl/de/about/analytics/;

    Security measures: IP masking (pseudonymization of the IP address).

    Privacy policy: https://policies.google.com/privacy;

    Data processing agreement: https://business.safety.google/adsprocessorterms/;

    Basis for third-country transfers:
    Data Privacy Framework (DPF).

    Right to object (opt-out):
    Opt-out browser plugin: https://tools.google.com/dlpage/gaoptout?hl=de,
    Ad personalization settings: https://myadcenter.google.com/personalizationoff

    Further information: https://business.safety.google/adsservices/ (Types of processing and categories of processed data)

14. Presence on Social Networks (Social Media)

We maintain online presences within social networks and, in this context, process user data in order to communicate with users active on these platforms or to provide information about us.

We would like to point out that user data may be processed outside the European Union in this context. This may result in risks for users, as the enforcement of users’ rights may, for example, be more difficult.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, usage profiles may be created based on users’ behavior and resulting interests. These profiles may in turn be used to display advertisements within and outside the networks that presumably correspond to users’ interests. For this reason, cookies are generally stored on users’ devices, in which usage behavior and user interests are stored. In addition, data may also be stored in usage profiles independently of the devices used by users (in particular, if users are members of the respective platforms and logged in to them).

For a detailed description of the respective processing operations and the available options to object (opt-out), we refer to the privacy policies and information provided by the operators of the respective social networks.

In the case of requests for information and the assertion of data subject rights, we also point out that these can be most effectively exercised with the respective service providers. Only the providers have access to the users’ data and can take appropriate measures directly and provide information. Should you nevertheless require assistance, you may contact us.

  • Types of data processed: Contact data (e.g., email addresses, phone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Categories of data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Handling contact inquiries and communication; feedback (e.g., collection of feedback via online forms); marketing.
  • Legal basis: Legitimate interests (Article 6(1)(f) GDPR).

Additional Information on Processing Activities, Procedures, and Services

  • Instagram: Social network;
    Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
    Legal basis: Legitimate interests (Article 6(1)(f) GDPR);
    Website: https://www.instagram.com;
    Privacy policy: https://instagram.com/about/legal/privacy.
    Basis for third-country transfers: Data Privacy Framework (DPF).
  • Linkedin: Social network;
    Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland;
    Legal basis: Legitimate interests (Article 6(1)(f) GDPR);
    Website: https://www.linkedin.com;
    Privacy policy: https://www.linkedin.com/legal/privacy-policy;
    Basis for third-country transfers: Data Privacy Framework (DPF).
    Right to object (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.Further information: We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of data from visitors to our LinkedIn profiles for the purpose of creating “Page Insights” (statistics).
    This data includes information about the types of content users view or interact with, actions taken by users, as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data) and profile information such as job function, country, industry, seniority level, company size, and employment status. Information on the processing of user data by LinkedIn can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policyWe have entered into a specific agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum”):https://legal.linkedin.com/pages-joint-controller-addendumThis agreement regulates, in particular, the security measures LinkedIn must observe and confirms that LinkedIn has committed to fulfilling data subject rights (e.g., users may submit requests for access or deletion directly to LinkedIn). The rights of users (in particular the right of access, deletion, objection, and complaint to a competent supervisory authority) are not restricted by this agreement. Joint controllership is limited to the collection of data and its transmission to LinkedIn Ireland Unlimited Company, an entity established in the European Union. Further processing of the data is carried out exclusively by LinkedIn Ireland Unlimited Company, in particular the transfer of data to its parent company, LinkedIn Corporation, in the United States.

15. Plug-ins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos, or maps (hereinafter uniformly referred to as “content”).

The integration of such content always requires that the third-party providers process users’ IP addresses, as they would otherwise not be able to transmit the content to users’ browsers. The IP address is therefore necessary for the display of this content or these functions. We endeavor to use only such content whose respective providers use the IP address solely for the purpose of delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. Through these pixel tags, information such as visitor traffic on the pages of this website may be evaluated. The pseudonymous information may also be stored in cookies on users’ devices and may include, among other things, technical information about the browser and operating system, referring websites, visit times, and further details regarding the use of our online offering. This information may also be combined with information from other sources.

Information on Legal Bases: If we request users’ consent for the use of third-party providers, the legal basis for data processing is consent. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e., an interest in providing efficient, economically viable, and user-friendly services). In this context, we also refer to the information on the use of cookies contained in this privacy policy.

  • Types of data processed: Usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status); location data (information about the geographic position of a device or a person).
  • Categories of data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness; marketing; profiles with user-related information (creation of user profiles).
  • Legal basis: Consent (Article 6(1)(a) GDPR); Legitimate interests (Article 6(1)(f) GDPR).

Additional Information on Processing Activities, Procedures, and Services

  • Google Maps: We integrate maps provided by the service “Google Maps” of Google into our online offering. The data processed may include, in particular, users’ IP addresses and location data.
    Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland;
    Legal basis: Consent (Article 6(1)(a) GDPR).
    Website: https://mapsplatform.google.com/;
    Privacy policy: https://policies.google.com/privacy.
    Basis for third-country transfers: Data Privacy Framework (DPF).
  • Instagram Plugins and Embedded Content We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt, in the context of a data transfer (but not for the subsequent processing), of so-called “event data” collected by Facebook through Instagram features (e.g., embedding functions for content) that are executed on our online offering or received through such a transfer. This joint responsibility applies to the following purposes: a) Display of content and advertising information corresponding to the presumed interests of users; b) Delivery of commercial and transactional messages (e.g., communication with users via Facebook Messenger); c) Improvement of ad delivery and personalization of functions and content (e.g., improving recognition of which content or advertising information is likely to be of interest to users). We have concluded a specific agreement with Facebook (“Controller Addendum”)
    – Wir sind gemeinsam mit Meta Platforms Ireland Limited für die Erhebung oder den Erhalt im Rahmen einer Übermittlung (jedoch nicht die weitere Verarbeitung) von „Event-Daten“, die Facebook mittels Funktionen von Instagram (z. B. Einbettungsfunktionen für Inhalte), die auf unserem Onlineangebot ausgeführt werden, erhebt oder im Rahmen einer Übermittlung zu folgenden Zwecken erhält, gemeinsam verantwortlich: a) Anzeige von Inhalten sowie Werbeinformationen, die den mutmaßlichen Interessen der Nutzer entsprechen; b) Zustellung kommerzieller und transaktionsbezogener Nachrichten (z. B. Ansprache von Nutzern via Facebook-Messenger); c) Verbesserung der Anzeigenauslieferung und Personalisierung von Funktionen und Inhalten (z. B. Verbesserung der Erkennung, welche Inhalte oder Werbeinformationen mutmaßlich den Interessen der Nutzer entsprechen). Wir haben mit Facebook eine spezielle Vereinbarung abgeschlossen („Zusatz für Verantwortliche“, https://www.facebook.com/legal/controller_addendumwhich regulates, in particular, the security measures Facebook must observe: https://www.facebook.com/legal/terms/data_security_terms Under this agreement, Facebook has committed to fulfilling data subject rights (e.g., users may submit requests for information or deletion directly to Facebook). Note: If Facebook provides us with measurement values, analyses, and reports that are aggregated (i.e., do not contain information about individual users and are anonymous to us), such processing does not take place within the scope of joint controllership. Instead, it is based on a data processing agreement (“Data Processing Terms”): https://www.facebook.com/legal/terms/dataprocessing), This processing is additionally subject to the “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_termsWith regard to data processing in the United States, standard contractual clauses apply (“Facebook EU Data Transfer Addendum”): https://www.facebook.com/legal/EU_data_transfer_addendumThe rights of users (in particular the right of access, erasure, objection, and complaint to a supervisory authority) are not restricted by these agreements.
    Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
    Legal basis: Legitimate interests (Article 6(1)(f) GDPR);
    Website: https://www.instagram.com;
    Privacy policy: https://instagram.com/about/legal/privacy/.