Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of personal data (hereinafter referred to as "data") that we process, for which purposes, and to what extent in the context of providing our application.

The terms used are not gender-specific.

Date: December 9, 2024

Table of Contents

• Preamble
• Data Controller
• Overview of Processing Activities
• Relevant Legal Basis
• Transfer of Personal Data
• International Data Transfers
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Business Services
• Business Processes and Procedures
• Provision of Online Services and Web Hosting
• Contact and Inquiry Management
• Web Analytics, Monitoring, and Optimization

Data Controller

Laschinger Lukas Karl Konstantin, Schackmann Luca Markus GbR
Buchbergerstraße 10c
82538 Geretsried, Germany

Authorized Representatives: Lukas Laschinger and Luca Schackmann

Email: [email protected]

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes for which they are processed, and refers to the affected individuals.

Types of Processed Data

• Inventory data.
• Payment data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication, and procedural data.
• Log data.

Categories of Affected Individuals

• Service recipients and clients.
• Prospects.
• Communication partners.
• Users.
• Business and contractual partners.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.
• Communication.
• Reach measurement.
• Office and organizational procedures.
• Organizational and administrative procedures.
• Feedback.
• Profiles with user-related information.
• Provision of our online services and user-friendliness.
• Information technology infrastructure.
• Business processes and business administration procedures.

  Relevant Legal Grounds

Relevant Legal Grounds under the GDPR: Below is an overview of the legal grounds under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or registered office. If more specific legal grounds are relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Contract Fulfillment and Pre-Contractual Requests (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract.
• Legal Obligation (Art. 6(1)(c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate Interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided these interests are not overridden by the interests, fundamental rights, and freedoms of the data subject.

National Data Protection Regulations in Germany: In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. This includes the Federal Data Protection Act (BDSG), which contains special provisions on the right to access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, data transfers, and automated decision-making, including profiling. In addition, state-specific data protection laws may apply.

Note on Applicability of the GDPR and Swiss Data Protection Law (DSG): These privacy notices serve both the information requirements under the Swiss DSG and the GDPR. Therefore, please note that, due to broader territorial application and clarity, the terms of the GDPR are used. In particular, instead of the terms used in the Swiss DSG such as "processing" of "personal data," "overriding legitimate interest," and "sensitive personal data," the terms used in the GDPR, such as "processing" of "personal data" and "legitimate interest" and "special categories of data," are applied. However, the legal meaning of these terms is still determined according to the Swiss DSG in the context of its application.

Transfer of Personal Data

As part of our processing of personal data, it may be necessary to transfer or disclose data to other entities, companies, legally independent organizations, or individuals. Recipients of this data may include, for example, service providers responsible for IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, enter into contracts or agreements with the recipients of the data to protect your data.

Data Transfer within the Organization: We may transfer personal data to other departments or units within our organization or grant them access to such data. If data is transferred for administrative purposes, this is based on our legitimate business and operational interests or is required to fulfill our contractual obligations, or when consent from the data subject or legal authorization is present.

International Data Transfers

Data Processing in Third Countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if the processing occurs in the context of using services from third parties or disclosing or transferring data to other individuals, entities, or companies, this is done in compliance with legal requirements. If the data protection level in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers will only occur if the data protection level is otherwise ensured, particularly through standard contractual clauses (Art. 46(2)(c) GDPR), explicit consent, or if required for contractual or legal data transfers (Art. 49(1) GDPR). We will inform you of the basis for third-country transfers with the specific providers from third countries, with adequacy decisions being the primary basis. Information on third-country transfers and available adequacy decisions can be found in the EU Commission’s information portal: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de. As part of the "Data Privacy Framework" (DPF), the EU Commission has also recognized the data protection level as safe for certain companies from the USA under the adequacy decision of July 10, 2023. The list of certified companies and more information on the DPF can be found on the US Department of Commerce website at https://www.dataprivacyframework.gov/ (in English). We will inform you in the privacy notices about which of the services we use are certified under the Data Privacy Framework.

General Information on Data Storage and Deletion

We delete personal data we process in accordance with legal requirements once the underlying consents are withdrawn or no further legal grounds for processing exist. This applies in cases where the original purpose of processing no longer applies or the data is no longer needed. Exceptions to this rule exist when legal obligations or special interests require a longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax reasons, or data whose retention is necessary for legal proceedings or the protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices include additional information on the retention and deletion of data that specifically applies to certain processing processes.

When multiple retention periods or deletion deadlines are specified for a date, the longest period applies.

If a period does not start on a specific date and lasts at least one year, it will automatically start at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships, the triggering event for retention is the time when the termination or other conclusion of the legal relationship takes effect.

Data that is no longer required for the original purpose, but is retained due to legal requirements or other reasons, will only be processed for the reasons that justify its retention.

Further Information on Processing Processes, Procedures, and Services:

• Retention and Deletion of Data: The following general retention periods apply for storage and archiving under German law:
  • 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and the necessary working instructions and other organizational documents, booking receipts, and invoices (§ 147(3) in conjunction with § 1 No. 1, 4, and 4a AO, § 14b(1) UStG, § 257(1) No. 1 and 4, (4) HGB).
  • 6 years - Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents relevant for taxation, e.g., hourly wage slips, cost accounting records, pricing information, as well as payroll documents, unless they are already accounting receipts, and cash receipts (§ 147(3) in conjunction with § 1 No. 2, 3, 5 AO, § 257(1) No. 2 and 3, (4) HGB).
  • 3 years - Data required to address potential warranty and liability claims or similar contractual claims and rights, as well as related inquiries based on previous business experience and common industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of the Data Subjects

Rights of the data subjects under the GDPR: As data subjects, you are entitled to various rights under the GDPR, particularly those set out in Articles 15 to 21 GDPR:

• Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Article 6(1)(e) or (f) GDPR, including profiling based on these provisions. If your personal data is processed for direct marketing purposes, you also have the right to object at any time to the processing of your personal data for such marketing purposes, including profiling, to the extent it is related to such direct marketing.
• Right to Withdraw Consent: You have the right to withdraw your consent at any time.
• Right of Access: You have the right to request confirmation as to whether your data is being processed, and to obtain access to the data as well as further information and a copy of the data, in accordance with legal requirements.
• Right to Rectification: You have the right, under the legal requirements, to request the completion or correction of your personal data.
• Right to Erasure and Restriction of Processing: You have the right, under the legal requirements, to request the immediate erasure of your personal data, or alternatively, to request the restriction of processing of the data under the legal requirements.
• Right to Data Portability: You have the right, under the legal requirements, to receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format, or to request its transfer to another data controller.
• Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

Business Services

We process data of our contractual and business partners, such as customers and prospects (referred to collectively as "contract partners"), within the framework of contractual and similar legal relationships, as well as associated measures and communication with the contract partners (or pre-contractual), for example, in response to inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, duties to provide agreed services, update obligations, and remedy warranty and other service disruptions. Additionally, we process the data to protect our rights and for administrative tasks associated with these obligations as well as business organization. Furthermore, we process the data based on our legitimate interests in proper and efficient business management, as well as security measures to protect our contract partners and our business operations from misuse, threats to their data, secrets, information, and rights (e.g., for the involvement of telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Within the scope of applicable law, we only share contract partner data with third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contract partners will be informed about other forms of processing, such as for marketing purposes, in this privacy policy.

We inform our contract partners about the data required for the aforementioned purposes before or at the time of data collection, for example, in online forms, by special markings (e.g., colors) or symbols (e.g., asterisks), or personally.

We delete the data after the expiration of statutory warranty and similar obligations, i.e., in principle, after four years, unless the data is stored in a customer account, for example, as long as they need to be archived for legal reasons (e.g., for tax purposes, generally ten years). Data disclosed to us by the contract partner within the scope of an order is deleted according to the provisions and, in principle, after the completion of the order.

• Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or phone numbers); contract data (e.g., contract subject, duration, customer category).
• Data Subjects: Service recipients and clients; prospects. Business and contract partners.
• Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; communication; office and organizational procedures; organizational and administrative procedures. Business processes and business management.
• Storage and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion."
• Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further Notes on Processing Processes, Procedures, and Services:

• Provision of Software and Platform Services: We process the data of our users, registered and possibly trial users (hereinafter collectively referred to as "users") to provide them with our contractual services and based on legitimate interests to ensure the security of our offering and to further develop it. The required details are marked as such during the contract, order, or similar agreement process and include the information needed for service provision and billing, as well as contact information for any necessary follow-ups; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Provision of Online Services and Web Hosting

We process users' data to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

• Processed Data Types: Usage data (e.g., page views, duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons). Log data (e.g., log files related to logins or data retrieval or access times).
• Affected Persons: Users (e.g., website visitors, online service users).
• Purposes of Processing: Provision of our online services and user convenience. Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).
• Retention and Deletion: Deletion as specified in the section "General Information on Data Storage and Deletion."
• Legal Bases: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR).

Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, phone, or via social media) or in the context of existing user and business relationships, the data of the requesting persons is processed as necessary to respond to inquiries and any requested actions.

• Processed Data Types: Inventory data (e.g., full name, address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers). Content data (e.g., textual or visual messages and posts, as well as related information such as authorship or creation time).
• Affected Persons: Communication partners.
• Purposes of Processing: Communication; organizational and administrative processes; feedback (e.g., collecting feedback via online forms). Provision of our online services and user convenience.
• Retention and Deletion: Deletion as specified in the section "General Information on Data Storage and Deletion."
• Legal Bases: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR).

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as "reach measurement") is used to evaluate the flow of visitors to our online services and may include behavioral, interest, or demographic information about visitors, such as age or gender, as pseudonymous values. Through reach analysis, we can, for example, determine when our online services or their functions or content are most frequently used or invite reuse. We can also identify areas that need optimization.

In addition to web analysis, we may also use testing methods to test and optimize different versions of our online services or components.

Unless otherwise specified below, profiles, i.e., data summarized into a usage process, may be created for these purposes, and information may be stored and read from a browser or device. The collected information includes, in particular, visited websites and elements used there, as well as technical details, such as the browser used, the computer system, and usage times. If users have consented to the collection of location data either to us or to the providers of services we use, location data may also be processed.

Furthermore, the IP addresses of users are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect the users. In general, no clear data of users (e.g., email addresses or names) are stored in web analysis, A/B testing, and optimization processes, but pseudonyms. This means that neither we nor the providers of the software we use know the actual identity of the users, but only the data stored in their profiles for the purpose of the respective procedures.

Legal notes: If we ask users for consent to use third-party providers, the legal basis for data processing is the consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.

• Processed Data Types: Usage data (e.g., page views, duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Affected Persons: Users (e.g., website visitors, online service users).
• Purposes of Processing: Reach measurement (e.g., access statistics, recognizing returning visitors); profiles with user-related information (creating user profiles). Provision of our online services and user convenience.
• Retention and Deletion: Deletion as specified in the section "General Information on Data Storage and Deletion." Storage of cookies for up to 2 years (Unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years).
• Security Measures: IP masking (pseudonymization of the IP address).
• Legal Bases: Consent (Art. 6 (1) sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Methods, and Services:

• Google Analytics: We use Google Analytics to measure and analyze the usage of our online services based on a pseudonymous user identification number. This identification number does not contain unique data such as names or email addresses. It is used to assign analysis information to an end device to determine which content users accessed within one or multiple usage processes, which search terms they used, revisited, or interacted with our online services. The time and duration of usage, as well as the sources of users referring to our online services, and technical aspects of their devices and browsers, are also stored.
  Pseudonymous user profiles are created with information from the use of various devices, and cookies may be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides rough geographical location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is used exclusively for this geolocation data derivation before being immediately deleted. It is not logged, not accessible, and not used for further purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6 (1) sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/en/about/analytics/; Security Measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://policies.google.com/privacy; Processor Agreement: https://business.safety.google/adsprocessorterms/; Basis for Third-Country Transfers: Data Privacy Framework (DPF); Opt-Out: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Ad Settings: https://myadcenter.google.com/personalizationoff. More Information: https://business.safety.google/adsservices/ (Types of processing and data processed).

Created with the free Privacy Policy Generator by Dr. Thomas Schwenke