Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as "data") we process for which purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (collectively referred to as "online offer").

The terms used are not gender-specific.

Status: July 24, 2024

Table of Contents

• Preamble
• Responsible Party
• Overview of Processing
• Relevant Legal Bases
• Security Measures
• Transmission of Personal Data
• International Data Transfers
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Business Services
• Business Processes and Procedures
• Payment Procedures
• Provision of the Online Offer and Web Hosting
• Use of Cookies
• Newsletters and Electronic Notifications
• Advertising Communication via Email, Post, Fax, or Telephone
• Web Analysis, Monitoring, and Optimization
• Online Marketing
• Social Media Presences
• Plugins and Embedded Functions and Content

Responsible Party

Stefan Struik / Vegan Manga BV
De Nieuwe Erven 3
543 NV Cuijk
Netherlands
Email: stefan@drach-oc.com
Imprint: https://drach-oc.com/Rechtliches/Impressum/

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of Data Processed

• Inventory data.
• Payment data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication, and procedural data.
• Log data.

Categories of Data Subjects

• Service recipients and clients.
• Interested parties.
• Communication partners.
• Users.
• Business and contractual partners.
• Customers.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Reach measurement.
• Tracking.
• Office and organizational procedures.
• Conversion measurement.
• Target group formation.
• Organizational and administrative procedures.
• Feedback.
• Marketing.
• Profiles with user-related information.
• Provision of our online offer and user-friendliness.
• Information technology infrastructure.
• Public relations.
• Sales promotion.
• Business processes and economic procedures.

Relevant Legal Bases

Relevant legal bases under the GDPR: In the following, you will receive an overview of the legal bases of the GDPR, based on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or seat. If more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given their consent to the processing of their personal data for one or more specific purposes.
• Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - The processing is necessary for the performance of a contract to which the data subject is a party, or to carry out pre-contractual measures taken at the request of the data subject.
• Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) - The processing is necessary to fulfill a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - The processing is necessary to safeguard the legitimate interests of the controller or a third party, provided that the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, do not override them.

National data protection regulations in the Netherlands: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in the Netherlands. This includes, in particular, the "Implementation Act on the General Data Protection Regulation" (Uitvoeringswet Algemene verordening gegevensbescherming - UAVG).

Security Measures

We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

The measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to, input, transfer, availability, and separation of data. Furthermore, we have established procedures that ensure the exercise of data subjects' rights, the deletion of data, and responses to data breaches. We also consider the protection of personal data already during the development or selection of hardware, software, and procedures in accordance with the principle of data protection by design and by default.

Transmission of Personal Data

In the course of our processing of personal data, it may happen that the data is transmitted to other entities, companies, legally independent organizational units, or persons, or they are disclosed to them. Among the recipients of this data may be service providers commissioned with IT tasks or providers of services and content that are embedded in a website. In such cases, we comply with the legal requirements and conclude corresponding contracts or agreements with the recipients of your data, which serve to protect your data.

International Data Transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)), or if the processing takes place in the context of using third-party services or disclosure or transmission of data to other persons, entities, or companies, this is only done in accordance with the legal requirements. If the level of data protection in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers are only carried out if the level of data protection is otherwise guaranteed, in particular through standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), explicit consent, or in the case of contractual or legally required transmission (Art. 49 para. 1 GDPR). In other cases, we will inform you of the bases of third-country transfers for each provider from a third country, whereby the adequacy decisions take precedence. Information on third-country transfers and existing adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

EU-US Trans-Atlantic Data Privacy Framework: Within the framework of the so-called "Data Privacy Framework" (DPF), the EU Commission also recognized the level of data protection for certain companies in the USA as safe within the framework of the adequacy decision of July 10, 2023. The list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at https://www .dataprivacyframework.gov/ (in English). We will inform you in the context of the privacy notices which service providers we use are certified under the Data Privacy Framework.

General Information on Data Storage and Deletion

We delete personal data processed by us in accordance with the legal requirements as soon as the consents on which the processing is based are revoked or other legal grounds for the processing no longer apply. This includes cases where the original purpose for processing the data no longer exists or the data is no longer needed for that purpose. Exceptions to this rule apply if legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that apply specifically to certain processing procedures.

If multiple retention periods or deletion deadlines are specified for a piece of data, the longest period always applies.

If a period does not explicitly start on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the period is the effective date of the termination or other ending of the legal relationship.

Data that is no longer needed for the original purpose but is retained due to legal requirements or other reasons will be processed exclusively for the reasons justifying their retention.

Further Notes on Processing Procedures, Processes, and Services:

Retention and Deletion of Data

The following general periods apply for retention and archiving under German law:

• 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the working instructions and other organizational documents required to understand them, booking receipts, and invoices (§ 147 para. 3 in conjunction with para. 1 no. 1, 4 and 4a AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 and 4, para. 4 HGB).
• 6 years - Other business documents: received commercial or business letters, reproductions of sent commercial or business letters, other documents relevant for taxation, such as hourly wage slips, business calculation sheets, calculation documents, price lists, but also payroll documents unless they are already booking receipts and cash register tapes (§ 147 para. 3 in conjunction with para. 1 no. 2, 3, 5 AO, § 257 para. 1 no. 2 and 3, para. 4 HGB).
• 3 years - Data necessary to consider potential warranty and compensation claims or similar contractual claims and rights, as well as related inquiries, based on past business experiences and common industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

• Right to object: You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, which is based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw any consent given at any time.
• Right to information: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data and further information and a copy of the data in accordance with legal requirements.
• Right to rectification: You have the right to request the completion or correction of data concerning you in accordance with legal requirements.
• Right to deletion and restriction of processing: You have the right to request that data concerning you be deleted immediately in accordance with legal requirements, or alternatively, to request restriction of processing of the data in accordance with legal requirements.
• Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format in accordance with legal requirements or to request its transmission to another controller.
• Complaint to a supervisory authority: You have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you violates the GDPR, without prejudice to any other administrative or judicial remedy.

Business Services

We process data of our contractual and business partners, e.g., customers and interested parties (collectively referred to as "contractual partners"), in the context of contractual and similar legal relationships as well as related measures and in regard to communication with the contractual partners (or pre-contractual), such as responding to inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, the duties to provide the agreed services, any obligations to update and remedy warranty and other performance defects. Additionally, we use the data to safeguard our rights and for purposes of administrative tasks associated with these obligations and corporate organization. Furthermore, we process the data based on our legitimate interests in proper and economic business management and security measures to protect our contractual partners and our business operations from misuse, threats to their data, secrets, information, and rights (e.g., participation of telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax, and legal advisers, payment service providers, or tax authorities). To the extent permitted by law, we only disclose the data of contractual partners to third parties as necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed of further forms of processing, such as for marketing purposes, within the context of this privacy policy.

We inform contractual partners which data is necessary for the aforementioned purposes before or during data collection, e.g., in online forms, through specific markings (e.g., colors) or symbols (e.g., asterisks), or personally.

We delete the data after expiration of legal warranty and similar obligations, generally after four years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal reasons of archiving (e.g., for tax purposes, usually ten years). Data disclosed to us by the contractual partner in the context of an order is deleted according to the specifications and generally after the end of the order.

Processed Data Types

• Inventory data (e.g., full name, residential address, contact information, customer number, etc.).
• Payment data (e.g., bank details, invoices, payment history).
• Contact data (e.g., postal and email addresses or phone numbers).
• Contract data (e.g., subject of contract, term, customer category).
• Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types, and operating systems used, interactions with content and functions).
• Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

Affected Persons

• Service recipients and clients.
• Interested parties.
• Business and contractual partners.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.
• Security measures.
• Communication.
• Office and organizational procedures.
• Organizational and administrative procedures.
• Business processes and economic procedures.

Retention and Deletion

Deletion in accordance with the specifications in the section "General Information on Data Storage and Deletion".

Legal Bases

• Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
• Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR).
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Processes, and Services:

Online Shop, Order Forms, E-Commerce, and Delivery

We process the data of our customers to enable them to select, purchase, or order the chosen products, goods, and related services, as well as their payment and delivery or execution. If necessary for the execution of an order, we use service providers, in particular postal, shipping, and transport companies, to carry out delivery or execution to our customers. For processing payment transactions, we use the services of banks and payment service providers. The necessary information is identified as such in the order or comparable acquisition process and includes the required details for delivery, provision, and billing, as well as contact information to address any queries; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Business Processes and Procedures

Personal data of service recipients and clients, including customers, clients, or in specific cases, clients, patients, or business partners, as well as other third parties, are processed within the framework of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business operations in areas such as customer management, sales, payment transactions, accounting, and project management.

The collected data is used to fulfill contractual obligations and streamline business processes. This includes the execution of business transactions, customer relationship management, optimization of sales strategies, and ensuring internal accounting and financial processes. Additionally, the data supports the protection of the rights of the responsible party and promotes administrative tasks and corporate organization.

Personal data may be disclosed to third parties if necessary to fulfill the mentioned purposes or legal obligations.

Processed Data Types

• Inventory data (e.g., full name, residential address, contact information, customer number).
• Payment data (e.g., bank details, invoices, payment history).
• Contact data (e.g., postal and email addresses or phone numbers).
• Content data (e.g., textual or visual messages and contributions, and the information concerning them, such as authorship details).
• Contract data (e.g., subject of contract, term, customer category).
• Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types, and operating systems used, interactions with content and functions).
• Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

Affected Persons

• Service recipients and clients.
• Interested parties.
• Communication partners.
• Business and contractual partners.
• Customers.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.
• Office and organizational procedures.
• Business processes and economic procedures.
• Security measures.
• Provision of our online offer and user-friendliness.

Retention and Deletion

Deletion in accordance with the specifications in the section "General Information on Data Storage and Deletion".

Legal Bases

• Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Processes, and Services:

Customer Account

Customers can create an account within our online offer (e.g., customer or user account, "customer account"). If the registration of a customer account is required, customers are informed of this as well as the necessary details for the registration. Customer accounts are not public and cannot be indexed by search engines. In the context of registration and subsequent logins and uses of the customer account, we store the IP addresses of customers along with the access times to prove the registration and to prevent any misuse of the customer account. If the customer account is terminated, the data of the customer account will be deleted after the termination date, provided it is not required for other purposes such as the provision within the customer account or must be retained for legal reasons (e.g., internal storage of customer data, order transactions, or invoices). It is the responsibility of the customers to back up their data upon termination of the customer account; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Economic Analyses and Market Research

To fulfill business purposes and recognize market trends, partner and user preferences, the present data on business transactions, contracts, inquiries, etc., are analyzed. Affected persons can include contractual partners, interested parties, customers, visitors, and users of the online offer of the controller. The conduct of the analyses serves the purposes of business evaluations, marketing, and market research (e.g., to determine customer groups with different characteristics). If available, profiles of registered users with their details on used services are taken into account. The analyses are exclusively for the controller and are not disclosed externally unless they are anonymous analyses with aggregated, i.e., anonymized values. Additionally, privacy is respected; the data is processed for analysis purposes as pseudonymized as possible and, where feasible, anonymized (e.g., as aggregated data); Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Payment Procedures

In the context of contractual and other legal relationships, due to legal obligations, or otherwise based on our legitimate interests, we offer efficient and secure payment options to the affected persons and use banks and other service providers (collectively referred to as "payment service providers").

The data processed by the payment service providers includes inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract, sum, and recipient-related details. The information is necessary to carry out the transactions. However, the entered data is only processed by the payment service providers and stored by them. This means we do not receive any account or credit card-related information but only information with confirmation or negative information of the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit agencies. This transmission is intended to check identity and creditworthiness. For this, we refer to the terms and privacy notices of the payment service providers.

For payment transactions, the terms and privacy notices of the respective payment service providers, which are accessible within the respective websites or transaction applications, apply. We refer to these also for further information and the assertion of revocation, information, and other affected rights.

Processed Data Types

• Inventory data (e.g., full name, residential address, contact information, customer number, etc.).
• Payment data (e.g., bank details, invoices, payment history).
• Contract data (e.g., subject of contract, term, customer category).
• Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types, and operating systems used, interactions with content and functions).
• Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

Affected Persons

• Service recipients and clients.
• Business and contractual partners.
• Interested parties.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.
• Business processes and economic procedures.

Retention and Deletion

Deletion in accordance with the specifications in the section "General Information on Data Storage and Deletion".

Legal Bases

• Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Processes, and Services:

Mastercard

Payment services (technical connection of online payment methods); Service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.mastercard.de/de-de.html; Privacy Policy: https://www.mastercard.de/de-de/datenschutz.html.

PayPal

Payment services (technical connection of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S. à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.paypal.com/de; Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Stripe

Payment services (technical connection of online payment methods); Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://stripe.com; Privacy Policy: https://stripe.com/de/privacy; Basis for third-country transfers: Data Privacy Framework (DPF).

Visa

Payment services (technical connection of online payment methods); Service provider: Visa Europe Services Inc., Branch London, 1 Sheldon Square, London W2 6TT, GB; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.visa.de; Privacy Policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html; Basis for third-country transfers: Adequacy Decision (GB).

Provision of the Online Offer and Web Hosting

We process the data of users to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the contents and functions of our online services to the user's browser or device.

Processed Data Types

• Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types, and operating systems used, interactions with content and functions).
• Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Log data (e.g., log files regarding logins or data retrieval or access times).

Affected Persons

• Users (e.g., website visitors, users of online services).

Purposes of Processing

• Provision of our online offer and user-friendliness.
• Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.).
• Security measures.

Retention and Deletion

Deletion in accordance with the specifications in the section "General Information on Data Storage and Deletion".

Legal Bases

• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Processes, and Services:

Collection of Access Data and Log Files

Access to our online offer is logged in the form of so-called "server log files". Server log files can include the address and name of the accessed websites and files, the date and time of access, transmitted data volumes, reports of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and typically IP addresses and the requesting provider. Server log files can be used for security purposes, e.g., to prevent overloading of the servers (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure server stability and load distribution; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidence purposes is excluded from deletion until the respective incident is finally clarified.

MAXCLUSTER

Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity); Service provider: maxcluster GmbH, Lise-Meitner-Str. 1b, 33104 Paderborn, Germany; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://maxcluster.de; Privacy Policy: https://maxcluster.de/datenschutz; Data processing agreement: Provided by the service provider.

Use of Cookies

Cookies are small text files or other storage markers that store information on end devices and read information from them. For example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the accessed contents or used functions of an online offer. Cookies can also be used for various purposes, such as ensuring the functionality, security, and comfort of online offers and creating analyses of visitor flows.

Notes on Consent

We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless it is not required by law. Permission is particularly not necessary if storing and accessing the information, including cookies, is essential to provide a telemedia service explicitly requested by the user (i.e., our online offer). The revocable consent is clearly communicated to the users and includes information on the respective cookie use.

Notes on Legal Bases for Data Protection

The legal basis on which we process users' personal data using cookies depends on whether we ask for users' consent. If users consent, the legal basis for processing their data is the declared consent. Otherwise, the data processed using cookies is based on our legitimate interests (e.g., an economically viable operation of our online offer and its improvement) or, if necessary, to fulfill our contractual obligations if the use of cookies is required to meet our contractual obligations. We inform users about the purposes for which the cookies are used in this privacy policy or as part of our consent and processing processes.

Storage Duration

Regarding storage duration, the following types of cookies are distinguished:

• Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their device (e.g., browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved, and preferred content can be displayed directly when the user revisits a website. Likewise, the data collected using cookies can be used to measure reach. If we do not provide explicit information on the type and storage duration of cookies, users should assume that these are permanent and that the storage duration can be up to two years.

General Information on Revocation and Objection (Opt-out)

Users can revoke their given consents at any time and object to the processing according to the legal requirements, also through the privacy settings of their browser.

Processed Data Types

• Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

Affected Persons

• Users (e.g., website visitors, users of online services).

Legal Bases

• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Processes, and Services:

BorlabsCookie

Consent management: Procedure for obtaining, logging, managing, and revoking consents, especially for the use of cookies and similar technologies to store, read, and process information on users' end devices, as well as their processing; Service provider: Execution on servers and/or computers under own data protection responsibility; Website: https://de.borlabs.io/borlabs-cookie/; Further information: An individual user ID, language, and types of consents and the time of their submission are stored server-side and in the cookie on the user's device.

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter referred to as "newsletters") exclusively with the consent of the recipients or based on a legal basis. If the contents of the newsletter are specifically described during registration, they are decisive for the user's consent. Usually, it is sufficient to provide your email address for the newsletter registration. However, to provide you with a personalized service, we may request your name for a personal address in the newsletter or additional information if this is necessary for the purpose of the newsletter.

Retention and Limitation of Processing

We can store the unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to provide evidence of previously given consent. The processing of these data is limited to the purpose of potential defense against claims. An individual deletion request is possible at any time, provided that the former existence of a consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blacklist (so-called "blocklist").

The logging of the registration procedure is based on our legitimate interests for the purpose of proving its proper execution. If we commission a service provider to send emails, this is based on our legitimate interests in an efficient and secure mailing system.

Contents

• Information about us, our services, actions, and offers.

Processed Data Types

• Inventory data (e.g., full name, residential address, contact information, customer number, etc.).
• Contact data (e.g., postal and email addresses or phone numbers).
• Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types, and operating systems used, interactions with content and functions).

Affected Persons

• Communication partners.
• Users (e.g., website visitors, users of online services).

Purposes of Processing

• Direct marketing (e.g., via email or postal).
• Provision of contractual services and fulfillment of contractual obligations.

Retention and Deletion

• 3 years - Contractual claims (AT) (Data required to consider potential warranty and compensation claims or similar contractual claims and rights, as well as related inquiries, are stored for the regular statutory limitation period of three years based on past business experiences and common industry practices (§§ 1478, 1480 ABGB).
• 10 years - Contractual claims (CH) (Data required to consider potential damage claims or similar contractual claims and rights, as well as for processing related inquiries, are stored for the statutory limitation period of ten years based on past business experiences and common industry practices, unless a shorter period of 5 years applies, which is relevant in certain cases (Art. 127, 130 OR).

Legal Bases

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Opt-Out Option

You can cancel the receipt of our newsletter at any time, i.e., revoke your consents or object to further receipt. A link to cancel the newsletter can be found either at the end of each newsletter or otherwise, you can use one of the contact options provided above, preferably email, for this purpose.

Further Notes on Processing Procedures, Processes, and Services:

Measurement of Opening and Click Rates

The newsletters contain a so-called "web beacon", i.e., a pixel-sized file that is retrieved from our or, if we use a mailing service provider, from its server when opening the newsletter. During this retrieval, technical information such as browser and your system, as well as your IP address and the time of retrieval, are initially collected. This information is used to improve our newsletter based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether and when newsletters are opened and which links are clicked. This information is assigned to the individual newsletter recipients and stored in their profiles until deleted. The evaluations serve to recognize the reading habits of our users and adapt our content to them or send different content according to the interests of our users. The measurement of opening and click rates and the storage of the measurement results in the profiles of the users - Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Requirement for Using Free Services

The consents to the mailing can be made a condition for using free services (e.g., access to certain content or participation in certain actions). If users wish to use the free service without subscribing to the newsletter, we ask you to contact us.

CleverReach

Email dispatch and automation services; Service provider: CleverReach GmbH & Co. KG, //CRASH Building, Schafjückenweg 2, 26180 Rastede, Germany; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.cleverreach.com/de; Privacy Policy: https://www.cleverreach.com/de/datenschutz/; Data processing agreement: Provided by the service provider.

Advertising Communication via Email, Post, Fax, or Telephone

We process personal data for the purposes of advertising communication, which can take place via various channels, such as email, telephone, post, or fax, in accordance with legal requirements.

Recipients have the right to revoke given consents at any time or to object to advertising communication at any time.

After revocation or objection, we store the data required to prove previous authorization to contact or send up to three years after the end of the year of revocation or objection based on our legitimate interests. The processing of this data is limited to the purpose of potential defense against claims. Based on the legitimate interest to permanently observe the revocation or objection of users, we also store the data required to avoid renewed contact (e.g., depending on the communication channel, the email address, phone number, name).

Processed Data Types

• Inventory data (e.g., full name, residential address, contact information, customer number, etc.).
• Contact data (e.g., postal and email addresses or phone numbers).
• Content data (e.g., textual or visual messages and contributions and the information concerning them, such as authorship details or time of creation).

Affected Persons

• Communication partners.

Purposes of Processing

• Direct marketing (e.g., via email or postal).
• Marketing.
• Sales promotion.

Retention and Deletion

Deletion in accordance with the specifications in the section "General Information on Data Storage and Deletion".

Legal Bases

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as "reach measurement") serves to evaluate the visitor flows of our online offer and can include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognize at what time our online offer or its functions or contents are most frequently used or invite for reuse. Similarly, we can understand which areas need optimization.

In addition to web analysis, we can also use test procedures, e.g., to test and optimize different versions of our online offer or its components.

Unless otherwise stated below, profiles, i.e., data summarized into a usage process, can be created and stored in a browser or an end device and then read out for these purposes. The collected information includes visited websites and used elements and technical details, such as the browser used, the computer system used, and information on usage times. If users have consented to the collection of their location data to us or the providers of the services we use, location data may also be processed.

In addition, the IP addresses of users are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear user data (such as email addresses or names) are stored within the scope of web analysis, A/B testing, and optimization, but pseudonyms. This means that we and the providers of the used software do not know the actual identity of the users, but only the data stored in their profiles for the respective procedures.

Notes on Legal Bases

If we ask users for their consent to use the third-party providers, the legal basis for data processing is the declared consent. Otherwise, the user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and recipient-friendly services). In this context, we would also like to point out the information on the use of cookies in this privacy policy.

Processed Data Types

• Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types, and operating systems used, interactions with content and functions).
• Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

Affected Persons

• Users (e.g., website visitors, users of online services).

Purposes of Processing

• Reach measurement (e.g., access statistics, recognition of returning visitors).
• Profiles with user-related information (creating user profiles).
• Provision of our online offer and user-friendliness.

Retention and Deletion

Deletion in accordance with the specifications in the section "General Information on Data Storage and Deletion". Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods can be stored on users' devices for a period of two years.).

Security Measures

IP masking (pseudonymization of the IP address).

Legal Bases

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Processes, and Services:

Google Analytics

We use Google Analytics to measure and analyze the use of our online offer based on a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It serves to associate analysis information with an end device to recognize which content the users have accessed within one or more usage processes, which search terms they used, accessed again, or interacted with our online offer. The time of use and its duration, as well as the sources of users referring to our online offer and technical aspects of their end devices and browsers, are also stored.

In the process, pseudonymous profiles of users are created with information from the use of various devices, where cookies can be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides coarse geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU data traffic, IP address data is used exclusively for this derivation of geolocation data before being immediately deleted. They are not logged, are not accessible, and are not used for other purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third-country transfers: Data Privacy Framework (DPF); Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for ad display: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and processed data).

Google Tag Manager

We use Google Tag Manager, a software from Google, that allows us to centrally manage so-called website tags via a user interface. Tags are small code elements on our website that serve to record and analyze visitor activities. This technology helps us improve our website and the content offered on it. The Google Tag Manager itself does not create user profiles, does not store cookies with user profiles, and does not perform independent analyses. Its function is limited to facilitating the integration and management of tools and services we use on our website. Nevertheless, the user's IP address is transmitted to Google when using the Google Tag Manager, which is necessary for technical reasons to implement the services we use. Cookies may also be set in the process. This data processing only occurs if services are integrated via the Tag Manager. For more detailed information on these services and their data processing, we refer to the further sections of this privacy policy; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms; Basis for third-country transfers: Data Privacy Framework (DPF).

Online Marketing

We process personal data for the purpose of online marketing, including marketing of advertising space or displaying promotional and other content (collectively referred to as "content") based on potential user interests and measuring their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (the so-called "cookie") or similar procedures are used, through which the relevant information for displaying the aforementioned content is stored about the user. This may include viewed content, visited websites, used online networks, but also communication partners and technical information, such as the used browser, the used computer system, and usage times. If users have consented to the collection of their location data, this may also be processed.

In addition, the IP addresses of users are stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear user data (such as email addresses or names) are stored within the scope of online marketing procedures, but pseudonyms. This means that we and the providers of the used online marketing procedures do not know the actual identity of the users, but only the data stored in their profiles for the respective procedures.

The information in the profiles is generally stored in the cookies or similar procedures. These cookies can later be read on other websites using the same online marketing procedure and analyzed for displaying content and supplemented with additional data and stored on the server of the online marketing procedure provider.

In exceptional cases, it is possible to assign clear data to the profiles, mainly when users, for example, are members of a social network whose online marketing procedures we use and the network connects the profiles with the aforementioned data. We ask you to note that users can agree on additional terms with the providers, e.g., by giving consent during registration.

We generally only access aggregated information about the success of our advertisements. However, we can use so-called conversion measurements to check which of our online marketing procedures have led to a so-called conversion, i.e., for example, to a contract conclusion with us. The conversion measurement is used solely to analyze the success of our marketing measures.

Unless otherwise stated, cookies used for a period of up to two years.

Notes on Legal Bases

If we ask users for their consent to use the third-party providers, the legal basis for data processing is the declared consent. Otherwise, the user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and recipient-friendly services). In this context, we would also like to point out the information on the use of cookies in this privacy policy.

Notes on Revocation and Objection

We refer to the privacy notices of the respective providers and the opt-out options provided by the providers (so-called "opt-out"). If no explicit opt-out option has been provided, there is the option of disabling cookies in the settings of your browser. However, this may restrict the functions of our online offer. Therefore, we recommend additionally using the following opt-out options, which are offered collectively for respective areas:

• Europe: https://www.youronlinechoices.eu.
• Canada: https://www.youradchoices.ca/choices.
• USA: https://www.aboutads.info/choices.
• Cross-regional: https://optout.aboutads.info.

Processed Data Types

• Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types, and operating systems used, interactions with content and functions).
• Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

Affected Persons

• Users (e.g., website visitors, users of online services).

Purposes of Processing

• Reach measurement (e.g., access statistics, recognition of returning visitors).
• Tracking (e.g., interest/behavior-based profiling, use of cookies).
• Target group formation.
• Marketing.
• Profiles with user-related information (creating user profiles).
• Conversion measurement (measuring the effectiveness of marketing measures).

Retention and Deletion

Deletion in accordance with the specifications in the section "General Information on Data Storage and Deletion". Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods can be stored on users' devices for a period of two years.).

Security Measures

IP masking (pseudonymization of the IP address).

Legal Bases

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Processes, and Services:

Google Ads and Conversion Measurement

Online marketing procedure for placing content and ads within the service provider's advertising network (e.g., in search results, in videos, on websites, etc.) so that they are displayed to users who are likely interested in the ads. Furthermore, we measure the conversion of the ads, i.e., whether users interacted with the ads and used the advertised offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF); Further information: Types of processing and processed data: https://business.safety.google/adsservices/; Data processing terms between controllers and standard contractual clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.

Social Media Presences

We maintain online presences within social networks and process user data within this framework to communicate with the users active there or to offer information about us.

We point out that user data can be processed outside the area of the European Union. This can result in risks for the users because, for example, the enforcement of the users' rights could be made more difficult.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles can be created based on the usage behavior and resulting interests of the users. These profiles may be used, for example, to display advertisements inside and outside the networks that presumably correspond to the users' interests. For these purposes, cookies are generally stored on the users' devices in which the usage behavior and interests of the users are stored. Furthermore, data can also be stored in the usage profiles independently of the devices used by the users (especially if the users are members of the respective platforms and logged in there).

For a detailed presentation of the respective forms of processing and the opt-out options, we refer to the privacy policies and information of the operators of the respective networks.

In the case of information requests and the assertion of data subject rights, we also point out that these can be most effectively asserted with the providers. Only the providers have access to the user data and can directly take appropriate measures and provide information. If you still need help, you can contact us.

Processed Data Types

• Contact data (e.g., postal and email addresses or phone numbers).
• Content data (e.g., textual or visual messages and contributions and the information concerning them, such as authorship details or time of creation).
• Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types, and operating systems used, interactions with content and functions).

Affected Persons

• Users (e.g., website visitors, users of online services).

Purposes of Processing

• Communication.
• Feedback (e.g., collecting feedback via online form).
• Public relations.

Retention and Deletion

Deletion in accordance with the specifications in the section "General Information on Data Storage and Deletion".

Legal Bases

• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Processes, and Services:

Instagram

Social network, enables sharing of photos and videos, commenting and favoriting posts, sending messages, subscribing to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/; Basis for third-country transfers: Data Privacy Framework (DPF).

Facebook Pages

Profiles within the social network Facebook - We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data of visitors to our Facebook page (so-called "fan page"). This data includes information about the types of content users view or interact with or the actions they take (see "Things you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by the users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see "Device Information" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, known as "Page Insights," to page operators to give them insights into how people interact with their pages and the content associated with them. We have entered into a special agreement with Facebook ("Page Insights Information," https://www.facebook.com/legal/terms/page_controller_addendum), which specifically governs which security measures Facebook must observe and in which Facebook has agreed to fulfill the data subjects' rights (i.e., users can, for example, submit requests for information or deletion directly to Facebook). The rights of users (in particular, to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further notes can be found in the "Page Insights Information" (https://www.facebook.com/legal/terms/information_about_page_insights_data); Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Basis for third-country transfers: Data Privacy Framework (DPF).

LinkedIn

Social network, professional network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for third-country transfers: Data Privacy Framework (DPF).

Twitter

Social network; Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://twitter.com; Privacy Policy: https://twitter.com/en/privacy; Basis for third-country transfers: Data Privacy Framework (DPF).

Plugins and Embedded Functions and Content

We integrate functional and content elements into our online offer, which are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These can be, for example, graphics, videos, or social media buttons, as well as posts (hereinafter uniformly referred to as "content").

The integration always assumes that the third-party providers of this content process the IP address of the user because they could not send the content to their browser without the IP address. The IP address is therefore required for the presentation of this content or function. We strive to use only content whose respective providers use the IP address only for the delivery of the content. Third-party providers can also use so-called pixel tags (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information, such as visitor traffic, on the pages of this website. The pseudonymous information can also be stored in cookies on the user's device and may include, among other things, technical information about the browser and operating system, referring websites, visit time, and other information about the use of our online offer, as well as being linked to such information from other sources.

Notes on Legal Bases

If we ask users for their consent to use the third-party providers, the legal basis for data processing is the declared consent. Otherwise, the user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and recipient-friendly services). In this context, we would also like to point out the information on the use of cookies in this privacy policy.

Processed Data Types

• Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types, and operating systems used, interactions with content and functions).
• Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

Affected Persons

• Users (e.g., website visitors, users of online services).

Purposes of Processing

• Provision of our online offer and user-friendliness.
• Profiles with user-related information (creating user profiles).
• Marketing.
• Target group formation.

Retention and Deletion

Deletion in accordance with the specifications in the section "General Information on Data Storage and Deletion".

Legal Bases

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Processes, and Services:

Google Fonts (Provision on Own Server)

Provision of fonts ("Google Fonts") for the purpose of a user-friendly presentation of our online offer; Service provider: The provision of fonts is carried out on our server and no data is transmitted to Google; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).