Marta Schafstall – Data Protection

Privacy Policy

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as "data") we process for which purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and especially on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offerings").

The terms used are not gender-specific.

Status: June 2024

Responsible

Marta Schafstall
Seestrasse 16
6353 Weggis

Email Address: marta.schafstall@gmail.com

Overview of Processing Activities

The following overview summarizes the types of processed data and the purposes of their processing and refers to the affected individuals.

Types of Processed Data

Inventory data.
Payment data.
Contact data.
Content data.
Contract data.
Usage data.
Meta/communication data.

Categories of Affected Individuals

Customers.
Interested parties.
Communication partners.
Users.
Business and contractual partners.

Purposes of Processing

Providing contractual services and customer service.
Contact inquiries and communication.
Security measures.
Direct marketing.
Office and organizational procedures.
Administration and response to inquiries.
Feedback.
Marketing.
Profiles with user-related information.
Providing our online offerings and user-friendliness.
Information technology infrastructure.

Relevant Legal Bases

The following provides an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. If there are more specific legal bases relevant in individual cases, we will inform you of these in the privacy policy.

Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR) – The affected person has given consent to the processing of their personal data for a specific purpose or purposes.
Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR) – Processing is necessary for the performance of a contract to which the affected person is a party or to take steps at the request of the affected person prior to entering into a contract.
Legal obligation (Art. 6 para. 1 sentence 1 lit. c. GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests or fundamental rights and freedoms of the data subject override those interests.

In addition to the data protection provisions of the General Data Protection Regulation, national regulations on data protection apply in Switzerland. This includes, in particular, the Federal Act on Data Protection (FADP). The FADP applies primarily when no EU/EEA citizens are affected and, for example, only data of Swiss citizens are processed.

Security Measures

We take appropriate technical and organizational measures to ensure a level of protection that is appropriate to the risk, considering the state of the art, the cost of implementation, the nature, scope, circumstances, and purposes of processing, as well as the varying likelihoods of occurrence and the severity of the threat to the rights and freedoms of natural persons.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data through controlling physical and electronic access to the data as well as access, input, transfer, availability preservation, and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data, and responses to data breaches. We also consider the protection of personal data during the development or selection of hardware, software, and processes, in accordance with the principle of data protection through technology design and by default settings that are privacy-friendly.

SSL encryption (https): To protect your data transmitted via our online offering, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address line of your browser.

Transmission of Personal Data

As part of our processing of personal data, it may happen that data is transferred to other places, companies, legally independent organizational units, or individuals or disclosed to them. Recipients of this data may include, for example, service providers assigned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude relevant contracts or agreements to protect your data with the recipients of your data.

Data Processing in Third Countries

Provided that we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or the processing takes place as part of the use of services from third parties or the disclosure or transfer of data to other persons, entities, or companies, this only occurs in accordance with legal requirements.

Subject to explicit consent or the contractual or legal necessity of transmission, we process or have data processed only in third countries that have an adequate level of data protection, contractual obligations by means of standard contractual clauses of the EU Commission, in the presence of certifications, or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

Deletion of Data

The data we process will be deleted in accordance with legal requirements as soon as the permitted consents for processing are revoked or other permissions expire (e.g., when the purpose of processing these data is no longer necessary or when they are no longer required for the purpose). If the data is not deleted because it is necessary for other legally permissible purposes, its processing will be limited to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons or whose retention is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.

Our privacy notices may also contain further information on the retention and deletion of data that apply primarily for the respective processing activities.

Use of Cookies

Cookies are small text files or other storage notes that store information on end devices and read information from end devices. For example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the accessed content or used functions of an online offering. Cookies can also be used for various purposes, e.g. for the functionality, security, and comfort of online offerings, as well as to create analyses of visitor flows.

Consent Notices: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, unless this is not legally required. Consent is not required, in particular, when the storage and reading of information, including cookies, is absolutely necessary to provide users with a telemedia service explicitly requested by them (i.e., our online offering). The revocable consent is clearly communicated to users and includes information on the respective cookie usage.

Notices on Data Protection Legal Bases: On which data protection legal basis we process users' personal data using cookies depends on whether we ask users for consent. If users consent, the legal basis for processing their data is the granted consent. Otherwise, the data processed using cookies is processed based on our legitimate interests (e.g., in the economic operation of our online offering and improving its usability) or when it is necessary to fulfill our contractual obligations. We will clarify the purposes for which cookies are processed by us in the course of this privacy policy or as part of our consent and processing processes.

Storage Duration: With regard to the storage duration, the following types of cookies are distinguished:

Temporary Cookies (also: Session or Session Cookies): Temporary cookies are deleted at the latest after a user has left an online offering and closed their end device (e.g., browser or mobile application).
Permanent Cookies: Permanent cookies remain stored even after the end device has been closed. For example, the login status can be saved or preferred content displayed directly when the user visits a website again. Likewise, data collected using cookies may be used for reach measurement. If we do not provide users with explicit information on the type and storage duration of cookies (e.g., in the context of obtaining consent), users should assume that cookies are permanent and that the storage duration may be up to two years.

General Notices on Revocation and Opposition (Opt-Out): Users can revoke any consents they have given at any time and also file an objection to the processing in accordance with the legal provisions in Art. 21 GDPR. Users can also express their objection via their browser settings, e.g. by disabling the use of cookies (which may limit the functionality of our online services). An objection to the use of cookies for online marketing purposes can also be made through the websites https://optout.aboutads.info and https://www.youronlinechoices.com/ .

Further Notes on Processing Processes, Procedures, and Services:

Processing of Cookie Data Based on Consent: We use a procedure for cookie consent management, in which the consents of the users for the use of cookies or the processing and providers mentioned in the cookie consent management process are obtained and can be managed and revoked by the users. In this context, the consent statement is stored to avoid having to ask again and to be able to prove consent in accordance with legal obligations. The storage can be done server-side and/or in a cookie (so-called Opt-In cookie or using similar technologies) to assign consent to a user or their device. Subject to individual information about the providers of cookie management services, the following notes apply: The duration of the consent storage can be up to two years. In this context, a pseudonymous user identifier is created and stored with the time of consent, data on the scope of consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and used end device.

Business Services

We process data of our contractual and business partners, such as customers and interested parties (collectively referred to as "contract partners") in the context of contractual and similar legal relationships, as well as related measures and in the context of communication with the contract partners (or pre-contractually), e.g., to respond to inquiries.

We process this data to fulfill our contractual obligations. This includes, in particular, the obligations to provide the agreed services, any updating obligations, and remedies for warranty and other service disruptions. Moreover, we process the data to safeguard our rights and for the purposes of administrative tasks related to these obligations and organizational tasks. We also process the data based on our legitimate interests in proper and economically efficient management as well as in security measures to protect our contract partners and our business operations from misuse, threats to their data, secrets, information, and rights (e.g., for the involvement of telecommunications, transport, and other supporting services as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). In the context of applicable law, we only pass on the data of contract partners to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Further forms of processing, e.g., for marketing purposes, will be disclosed to contract partners in the context of this privacy policy.

We will inform contract partners beforehand or in the context of data collection about which data is necessary for the aforementioned purposes, e.g., in online forms, by special identification (e.g., colors) or symbols (e.g., asterisks), or personally.

We delete the data after the expiration of legal warranty and similar obligations, i.e., basically after 4 years, unless the data is stored in a customer account, e.g., as long as they must be retained for legal archival reasons. The legal retention period for tax-relevant documents and for commercial books, inventories, opening balance sheets, annual financial statements, the work instructions required for understanding these documents and other organizational documents and booking documents is ten years, as well as for received commercial and business letters and copies of sent commercial and business letters six years. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual financial statement, or the management report was prepared, the commercial or business letter was received or sent or the booking document was created or the recording was made or the other documents were created.

As far as we use third-party providers or platforms to provide our services, the terms and conditions and privacy notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.

Processed Data Types: Inventory data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., email, phone numbers); contract data (e.g., contract subject, duration, customer category); usage data (e.g., visited websites, interest in content, access times); meta/communication data (e.g., device information, IP addresses).
Affected Persons: Customers; interested parties; business and contractual partners.
Purposes of Processing: Providing contractual services and customer service; security measures; contact inquiries and communication; office and organizational procedures; administration and response to inquiries.
Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR); legal obligation (Art. 6 para. 1 sentence 1 lit. c. GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Further Notes on Processing Processes, Procedures, and Services:

Shop and E-Commerce: We process the data of our customers to enable them to select, acquire, or order the chosen products, goods, and associated services, as well as their payment and delivery or execution. To fulfill an order, we use service providers, particularly postal, freight, and shipping companies, to deliver or execute to our customers. For processing payment transactions, we use the services of banks and payment service providers. The required information is marked as such in the context of the ordering process or comparable acquisition process and includes the information required for delivery, or provision and invoicing, as well as contact information to hold any discussion; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR).

Use of Online Platforms for Offering and Distribution Purposes

We offer our services on online platforms operated by other service providers. In this context, in addition to our privacy policy, the privacy policies of the respective platforms apply. This is particularly true regarding the execution of the payment process and the measurement procedures for reach and interest-based marketing used on the platforms.

Processed Data Types: Inventory data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., email, phone numbers); contract data (e.g., contract subject, duration, customer category); usage data (e.g., visited websites, interest in content, access times); meta/communication data (e.g., device information, IP addresses).
Affected Persons: Customers.
Purposes of Processing: Providing contractual services and customer service; marketing.
Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Provision of the Online Offering and Web Hosting

To provide our online offering safely and efficiently, we utilize the services of one or more web hosting providers from whose servers (or servers they manage) the online offering can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space, and database services, as well as security services and technical maintenance services.

The data processed in the context of providing the hosting offering may include all information relating to users of our online offering that arises in the context of use and communication. This regularly includes the IP address, which is necessary to deliver the content of online offerings to browsers, and all inputs made within our online offering or by websites.

Processed Data Types: Content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta/communication data (e.g., device information, IP addresses).
Affected Persons: Users (e.g., website visitors, users of online services).
Purposes of Processing: Providing our online offerings and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).
Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Further Notes on Processing Processes, Procedures, and Services:

Collection of Access Data and Log Files: We (or our web hosting provider) collect data on every access to the server (so-called server log files). The server log files may include the address and name of the retrieved webpages and files, date and time of retrieval, transferred data volumes, notification of successful retrieval, browser type and version, the operating system of the user, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. The server log files may be used for security purposes, e.g., to prevent server overloads (especially in cases of abusive attacks, so-called DDoS attacks) and on the other hand, to ensure the load and stability of the servers; Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR); Deletion of Data: Log file information is stored for a maximum period of 30 days and then deleted or anonymized. Data that must be retained for evidential purposes is exempt from deletion until the respective incident is resolved.

Registration, Sign-Up, and User Account

Users can create a user account. During registration, necessary mandatory information is provided to users and processed for the provision of the user account based on contractual obligations. The processed data includes, in particular, the login information (username, password, and an email address).

In the context of using our registration and sign-up functions, as well as using the user account, we store the IP address and the time of each user action. The storage is based on our legitimate interests as well as those of users in protection against misuse and other unauthorized use. This data is generally not shared with third parties unless necessary for pursuing our claims or there is a legal obligation to do so.

Users may be informed about relevant processes for their user account, such as technical changes, via email.

Processed Data Types: Inventory data (e.g., names, addresses); contact data (e.g., email, phone numbers); content data (e.g., entries in online forms); meta/communication data (e.g., device information, IP addresses).
Affected Persons: Users (e.g., website visitors, users of online services).
Purposes of Processing: Providing contractual services and customer service; security measures; administration and response to inquiries; providing our online offerings and user-friendliness.
Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Further Notes on Processing Processes, Procedures, and Services:

Registration with Real Names: Due to the nature of our community, users are requested to use their real names to access our services. This means the use of pseudonyms is not permitted; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR).
Deletion of Data after Termination: If users have terminated their user accounts, their data will be deleted with respect to the user account, subject to any legal permissions, obligations, or user consent; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR).
No Retention Obligation for Data: It is the responsibility of users to secure their data upon termination prior to the end of the contract. We are entitled to irretrievably delete all data stored during the contract duration; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR).

Blogs and Publication Media

We use blogs or similar means of online communication and publication (hereinafter referred to as "publication media"). The data of the readers are only processed for the purposes of the publication media to the extent necessary for their presentation and communication between authors and readers or for security reasons. Otherwise, we refer to the information on the processing of visitors to our publication media in this privacy notice.

Processed Data Types: Inventory data (e.g., names, addresses); contact data (e.g., email, phone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta/communication data (e.g., device information, IP addresses).
Affected Persons: Users (e.g., website visitors, users of online services).
Purposes of Processing: Providing contractual services and customer service; feedback (e.g., collecting feedback via online form); providing our online offerings and user-friendliness.
Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Contact and Inquiry Management

When contacting us (e.g., via contact form, email, phone, or via social media) and in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary for answering the contact inquiries and any requested measures.

The responses to contact inquiries and the management of contact and inquiry data within the context of contractual or pre-contractual relationships are conducted to fulfill our contractual obligations or to answer (pre)contractual inquiries and otherwise based on legitimate interests in responding to inquiries and maintaining user or business relationships.

Processed Data Types: Contact data (e.g., email, phone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta/communication data (e.g., device information, IP addresses).
Affected Persons: Communication partners.
Purposes of Processing: Providing contractual services and customer service; contact inquiries and communication; management and response to inquiries; feedback (e.g., collecting feedback via online form); providing our online offerings and user-friendliness.
Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Further Notes on Processing Processes, Procedures, and Services:

Contact Form: If users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context to manage the inquiry. For this purpose, we process personal data within the framework of pre-contractual and contractual business relationships, as far as necessary for their fulfillment and otherwise based on our legitimate interests as well as the interests of communication partners in addressing concerns and our legal retention obligations; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Newsletter and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter referred to as "newsletters") only with the consent of the recipients or a legal permission. If the contents of the newsletter are specifically described during sign-up, they are decisive for the users' consent. Otherwise, our newsletters contain information about our services and us.

To subscribe to our newsletters, it is generally sufficient to provide your email address. However, we may ask you for a name for personal addressing in the newsletter or additional information if necessary for the purposes of the newsletter.

Double Opt-In Procedure: The registration for our newsletter generally takes place in a so-called double opt-in procedure. This means you will receive an email after registering, in which you will be asked to confirm your registration. This confirmation is necessary to ensure that no one can register with foreign email addresses. Registrations for the newsletter will be logged to comply with legal requirements regarding the registration process. This includes storing the time of registration and confirmation as well as the IP address. Any changes to your data stored with the mailing service provider are also logged.

Deletion and Restriction of Processing: We may store the unsubscribed email addresses for up to three years based on our legitimate interests before we delete them to prove a previously granted consent. The processing of this data is limited to the purpose of potentially defending against claims. An individual deletion request is possible at any time, provided that the former existence of consent is also confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address only for this purpose in a blocking list (so-called "blocklist").

The logging of the registration process is based on our legitimate interests to demonstrate the proper course of the process. If we engage a provider for sending emails, this is done based on our legitimate interests in an efficient and secure mailing system.

Contents:

Information about us, our services, promotions, and offers.

Processed Data Types: Inventory data (e.g., names, addresses); contact data (e.g., email, phone numbers); meta/communication data (e.g., device information, IP addresses); usage data (e.g., visited websites, interest in content, access times).
Affected Persons: Communication partners; users (e.g., website visitors, users of online services).
Purposes of Processing: Direct marketing (e.g., via email or postal); providing contractual services and customer service.
Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).
Right to Object (Opt-Out): You can unsubscribe from our newsletter at any time, i.e., revoke your consents or object to further reception. A link to unsubscribe from the newsletter can be found either at the end of each newsletter or you can use one of the contact options provided above, preferably email, for this purpose.

Further Notes on Processing Processes, Procedures, and Services:

Measuring Open and Click Rates: The newsletters contain a so-called "web beacon", i.e., a pixel-sized file that is retrieved from our server, or, if we use a mailing service provider, from their server when the newsletter is opened. In this context, technical information, such as information about the browser and your system, as well as your IP address and the time of retrieval, is collected. This information is used to technically improve our newsletter based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or the access times. This analysis also includes determining whether the newsletters are opened, when they are opened, and which links are clicked. This information is assigned to the individual newsletter recipients and stored in their profiles until they are deleted. The evaluations serve to recognize the reading habits of our users and to adapt our content to them or to send different content based on the interests of our users. The measurement of open and click rates and the storage of the measurement results in the users' profiles as well as their further processing are carried out based on user consent. A separate revocation of the success measurement is unfortunately not possible; in this case, the entire newsletter subscription must be canceled or must be opposed. In this case, the stored profile information is deleted.

Google Analytics: Measuring the success of email campaigns and creating user profiles with a storage duration of up to two years; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com/intl/en/about/analytics/; Privacy Policy: https://policies.google.com/privacy; Right to Object (Opt-Out): Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Settings for displaying ad impressions: https://adssettings.google.com/authenticated; Further Information: Types of processing and data processed: https://privacy.google.com/businesses/adsservices; Data processing conditions for Google advertising products and standard contractual clauses for data transfers to third countries: https://business.safety.google/adsprocessorterms.
Prerequisite for Using Free Services: Consent to the dispatch of mailings may be made a prerequisite for using free services (e.g., access to certain content or participation in certain actions). If users wish to use the free service without subscribing to the newsletter, we ask you to contact us.
Reminder Emails for the Ordering Process: If users do not complete an ordering process, we may remind users via email of the ordering process and send them a link for continuation. This function can be useful if the purchasing process cannot be continued due to a browser crash, oversight, or forgetfulness. The dispatch is based on consent, which users can revoke at any time.
SendinBlue: Email marketing platform; Service Provider: SendinBlue SAS, 55, rue d’Amsterdam, 75008 Paris, France; Website: https://de.sendinblue.com/; Privacy Policy: https://www.sendinblue.com/legal/privacypolicy/; Standard contractual clauses (guaranteeing data protection level when processing in third countries): Contract concluded with provider.

Social Media Presences

We maintain online presences within social networks and process user data in this context to communicate with users active there or to offer information about us.

We indicate that user data may be processed outside the European Union. This can pose risks for users, as, for example, the enforcement of users' rights may be more difficult.

Furthermore, user data is usually processed within social networks for market research and advertising purposes. For example, based on usage behavior and resulting interests, usage profiles can be created. These usage profiles can then be used to target advertisements within and outside the networks that presumably meet the interests of the users. For these purposes, cookies are usually stored on the users' computers, in which usage behavior and interests are saved. Furthermore, in the usage profiles, data can also be stored independently of the devices used by the users (especially if the users are members of the respective platforms and logged in to them).

For a detailed representation of the respective forms of processing and the options for objection (Opt-Out), please refer to the privacy policies and information provided by the operators of the respective networks.

Also, in the case of inquiries and asserting rights of the affected persons, we point out that these can be most effectively asserted with the providers. Only the providers have access to the users' data and can take corresponding actions and provide information directly. However, if you need assistance, you can contact us.

Processed Data Types: Contact data (e.g., email, phone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta/communication data (e.g., device information, IP addresses).
Affected Persons: Users (e.g., website visitors, users of online services).
Purposes of Processing: Contact inquiries and communication; feedback (e.g., collecting feedback via online form); marketing.
Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Further Notes on Processing Processes, Procedures, and Services:

Instagram: Social network; Service Provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy.
Facebook Pages: Profiles within the social network Facebook – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data from visitors to our Facebook page (so-called "fanpage"). This data includes information on the types of content users view or interact with, or the actions they take (see under "Things You and Others Have Done and Provided" in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see under "Device Information" in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under "How Do We Use This Information?", Facebook also collects and uses information to provide analytical services, so-called "Page Insights", for page operators so that these can gain insights into how people interact with their pages and the associated content. We have concluded a special agreement with Facebook ("Information on Page Insights", https://www.facebook.com/legal/terms/page_controller_addendum), which particularly regulates the security measures that Facebook must observe and in which Facebook agrees to fulfill the rights of the affected persons (i.e., users can, for example, direct inquiries or deletion requests directly to Facebook). The rights of users (in particular, for information, deletion, objection, and complaint to the competent supervisory authority) are in no way restricted by the agreements with Facebook. Further information can be found in the "Information on Page Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR); Website: https://www.facebook.com; Privacy Policy:https://www.facebook.com/about/privacy Standard contractual clauses (guaranteeing data protection level when processing in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum Further Information: Joint responsibility agreement: https://www.facebook.com/legal/terms/information_about_page_insights_data.

Plugins and Embedded Functions as well as Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). This may involve, for example, graphics, videos, or city maps (hereinafter uniformly referred to as "content").

The integration always requires that the third-party providers of this content process the users' IP address, as they cannot send the contents to their browsers without the IP address. The IP address is thus necessary for the display of these contents or functions. We strive to use only such contents whose respective providers use the IP address solely for the delivery of the contents. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. By using the "pixel tags", information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on the users' devices and may include technical information about the browser and operating system, referring websites, visiting time, and other information related to the use of our online offering, as well as being connected with such information from other sources.

Processed Data Types: Usage data (e.g., visited websites, interest in content, access times); meta/communication data (e.g., device information, IP addresses).
Affected Persons: Users (e.g., website visitors, users of online services).
Purposes of Processing: Providing our online offerings and user-friendliness; marketing; profiles with user-related information (creating user profiles).
Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Further Notes on Processing Processes, Procedures, and Services:

Instagram Plugins and Content: Instagram plugins and content – This may include, for example, content such as images, videos, or texts and buttons that allow users to share content from this online offering within Instagram. – We are jointly responsible with Meta Platforms Ireland Limited for the collection or retention during transmission (but not the subsequent processing) of "event data" that Facebook collects or retains during a transmission via Instagram functions (e.g., embedding functions for content) that are executed on our online offering for the following purposes: a) displaying content and advertising information that presumably corresponds to the interests of users; b) delivering commercial and transaction-related messages (e.g., addressing users via Facebook Messenger); c) improving ad delivery and personalizing functions and content (e.g., improving detection of which content or advertising information presumably corresponds to users' interests). We have concluded a special agreement with Facebook ("Addendum for Controllers", https://www.facebook.com/legal/controller_addendum), which regulates the security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to fulfill the rights of affected persons (i.e., users can, for example, direct inquiries or deletion requests directly to Facebook). Note: If Facebook provides us with metrics, analyses, and reports (which are aggregated, i.e., do not contain details about individual users and are anonymous for us), this processing does not take place in the context of joint responsibility but on the basis of a data processing agreement ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing) and "Data Security Terms" (https://www.facebook.com/legal/terms/data_security_terms) and concerning processing in the USA on the basis of standard contractual clauses ("Facebook-EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of users (in particular, regarding information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by agreements with Facebook; Service Provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy.

Management, Organization, and Auxiliary Tools

We use services, platforms, and software from other providers (hereinafter referred to as "third-party providers") for the purposes of organization, management, planning, and the provision of our services. When selecting third-party providers and their services, we comply with legal requirements.

In this context, personal data may be processed and stored on the servers of third-party providers. Various data that we process according to this privacy policy may be affected. This data may include, in particular, inventory and contact data of the users, data regarding transactions, contracts, other processes and their contents.

Therefore, if users are referred to the third-party providers or their software or platforms in the context of communication, business, or other relationships with us, the third-party providers may process usage data and meta-data for security, service optimization or marketing purposes. We therefore ask you to observe the data protection information of the respective third-party providers.

Processed Data Types: Content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta/communication data (e.g., device information, IP addresses).
Affected Persons: Communication partners; users (e.g., website visitors, users of online services).
Purposes of Processing: Contact inquiries and communication; providing contractual services and customer service; office and organizational procedures.
Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Further Notes on Processing Processes, Procedures, and Services:

Memberspot: External member area; Service Provider: Memberspot GmbH, Rilkestr. 26, 71642 Ludwigsburg; Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR); Website: https://www.memberspot.de; Privacy Policy: https://www.memberspot.de/datenschutz.

Changes and Updates to the Privacy Policy

We ask you to regularly inform yourself about the content of our privacy policy. We will adapt the privacy policy as soon as changes in our data processing operations make this necessary. We will inform you as soon as participation from your side (e.g., consent) or any other individual notification is required due to the changes.

Should we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time, and we ask you to verify the information before contacting.

Rights of the Affected Persons

You have various rights as affected persons under the GDPR, which arise particularly from Art. 15 to 21 GDPR:

Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, which is based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. Where personal data concerning you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
Right of Withdrawal for Consents: You have the right to withdraw consents granted at any time.
Right to Information: You have the right to request confirmation as to whether personal data concerning you are being processed and to obtain information about such data as well as further information and copies of the data in accordance with legal requirements.
Right to Rectification: You have the right, in accordance with legal requirements, to request the completion of personal data concerning you or the rectification of inaccurate personal data concerning you.
Right to Deletion and Restriction of Processing: You have the right, in accordance with legal requirements, to request that personal data concerning you be deleted immediately or alternatively to request, in accordance with legal requirements, a restriction of processing of the data.
Right to Data Portability: You have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format or to demand the transmission to another controller in accordance with legal requirements.
Complaint to Supervisory Authority: You have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the provisions of the GDPR, without prejudice to any other administrative or judicial remedy.

Definitions of Terms

This section provides an overview of the terminology used in this privacy policy. Many of the terms are taken from the law and are primarily defined in Art. 4 GDPR. The legal definitions are binding. The following explanations are intended primarily for understanding and are sorted alphabetically.

Personal Data: “Personal data” is any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more specific features characteristic of the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Profiles with User-Related Information: The processing of “profiles with user-related information”, or briefly “profiles”, includes any kind of automated processing of personal data that consists of using such personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information regarding demographics, behavior, and interests, such as interaction with websites and their content, etc.). Cookies and web beacons are often used for profiling purposes.
Controller: The term “controller” refers to the natural or legal person, authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data.
Processing: “Processing” is any operation or set of operations which is performed upon personal data, whether or not by automated means. The term is broad and covers practically every handling of data, including collecting, evaluating, storing, transmitting, or deleting.