Privacy Policy

Data Protection Provisions


Introduction

With the following Privacy Policy, we would like to inform you about the types of your personal data (hereinafter also referred to simply as “data”), the purposes for which we process them, and the extent of such processing. This Privacy Policy applies to all processing of personal data carried out by us, both within the scope of providing our services and in particular on our websites, in mobile applications, as well as within external online presences such as our social media profiles (hereinafter collectively referred to as the “Online Offering”).
All terms used are to be understood as gender-neutral.
Effective date: February 18, 2025


Table of Contents

  • Introduction
  • Controller
  • Overview of Processing Activities
  • Relevant Legal Bases
  • Security Measures
  • Transfer of Personal Data
  • Data Processing in Third Countries
  • Deletion of Data
  • Use of Cookies
  • Commercial Services
  • Sales via Online Marketplaces and Platforms
  • Payment Procedures
  • Provision of the Online Offering and Web Hosting
  • Registration, Login, and User Account
  • Contact and Inquiry Management
  • Newsletters and Electronic Notifications
  • Promotional Communication via Email, Post, Fax, or Telephone
  • Sweepstakes and Competitions
  • Web Analysis, Monitoring, and Optimization
  • Social Media Presences (Social Networks)
  • Plugins and Embedded Functions as well as Content
  • Changes and Updates to the Privacy Policy
  • Rights of Data Subjects
  • Definition of Terms

Controller

Belissima Motivstickerei & mehr
Bettina Hatz
Brolsstraße 9b
A-6844 Altach, Austria

Email: office@belissima.co.at


Overview of Processing Activities

The following overview summarizes the types of data we process, the purposes of their processing, and references the categories of data subjects involved.

Types of Data Processed

  • Event Data (Facebook) (“Event Data” are data that can be transmitted to Facebook via Facebook Pixel (through apps or other means) and that relate to individuals or their actions. Such data include, for example, information about website visits, interactions with content, features, installation of apps, product purchases, etc. Event Data are processed for the purpose of creating target groups for content and advertising information (Custom Audiences). Event Data do not include actual content (such as posted comments), login details, or contact information (i.e., no names, email addresses, or telephone numbers). Facebook deletes Event Data after a maximum of two years, and any target groups formed from them will be deleted if we delete our Facebook account.)
  • Inventory Data (e.g., names, addresses)
  • Content Data (e.g., entries in online forms)
  • Contact Data (e.g., email, telephone numbers)
  • Meta/Communication Data (e.g., device information, IP addresses)
  • Usage Data (e.g., pages visited, interest in content, access times)
  • Contract Data (e.g., contract subject, term, customer category)
  • Payment Data (e.g., bank details, invoices, payment history)

Categories of Data Subjects

  • Business and Contractual Partners
  • Prospective Customers
  • Communication Partners
  • Customers
  • Users (e.g., website visitors, users of online services)
  • Sweepstakes and Contest Participants

Purposes of Processing

  • Provision of our Online Offering and User-Friendliness
  • Office and Organizational Procedures
  • Direct Marketing (e.g., by email or postal mail)
  • Conducting Sweepstakes and Competitions
  • Feedback (e.g., collecting feedback via online forms)
  • Marketing
  • Handling Contact Inquiries and Communication
  • Profiles with User-Related Information (creating user profiles)
  • Reach Measurement (e.g., access statistics, recognition of returning visitors)
  • Security Measures
  • Provision of Contractual Services and Customer Support
  • Management and Response to Inquiries

Relevant Legal Bases

The following is an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations in your country of residence or in ours may also apply. Where more specific legal bases are relevant in individual cases, we will inform you of them in this Privacy Policy.

  • Consent (Art. 6(1) Sentence 1 lit. a GDPR) – The data subject has given their consent to the processing of their personal data for one or more specific purposes.
  • Performance of a Contract and Pre-Contractual Inquiries (Art. 6(1) Sentence 1 lit. b GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the data subject’s request.
  • Legal Obligation (Art. 6(1) Sentence 1 lit. c GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate Interests (Art. 6(1) Sentence 1 lit. f GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National Data Protection Regulations in Austria: In addition to the data protection regulations of the General Data Protection Regulation (GDPR), national regulations on data protection also apply in Austria, in particular the Federal Act on the Protection of Natural Persons in the Processing of Personal Data (Datenschutzgesetz – DSG). The Datenschutzgesetz contains, for example, special provisions on the right of access, the right to rectification or erasure, the processing of special categories of personal data, data processing for other purposes, and the transfer of data as well as on automated decision-making in individual cases.


Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihood and severity of risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

These measures, in particular, include safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, ensuring availability, and separation of the data. We have also put procedures in place to ensure that data subjects’ rights are observed, that data are deleted, and that responses to threats to the data are facilitated. Furthermore, we take into account the protection of personal data already in the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.


Transfer of Personal Data

In the course of our processing of personal data, we may transfer data to other entities, companies, legally independent organizational units, or individuals or otherwise grant them access to this data. Recipients of this data may include, for example, IT service providers or providers of services and content integrated into a website. In such cases, we observe legal requirements and conclude appropriate contracts or agreements with the recipients of your data to protect your data.

Data transfers within our organization: We may transfer personal data to other locations within our organization or grant them access to such data. If this transfer is for administrative purposes, it is based on our legitimate business and commercial interests or is necessary for fulfilling our contractual obligations, or it occurs if there is consent from the data subjects or a legal permission.


Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this processing occurs in the context of using services of third parties or disclosing or transferring data to other individuals or companies, it will only take place in compliance with statutory requirements.

Subject to express consent or contractual or legally required transfer, we process or allow the data to be processed only in third countries that have a recognized level of data protection, by contractual obligation using so-called EU Commission Standard Contractual Clauses, if there are certifications, or if there are binding internal data protection regulations (Art. 44–49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).


Deletion of Data

The data we process will be deleted in accordance with legal requirements as soon as the consents required for processing are revoked or other permissions cease to apply (e.g., if the purpose for processing the data no longer exists or the data are not needed for that purpose).

If the data are not deleted because they are required for other legally permissible purposes, their processing will be restricted to those purposes. In other words, the data will be locked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons or that are required to assert, exercise, or defend legal claims or protect the rights of another natural or legal person.

Our privacy notices may contain additional details on the storage and deletion of data that apply primarily to the respective processing operations.


Use of Cookies

Cookies are text files containing data from visited websites or domains and stored by a browser on the user’s computer. A cookie’s primary purpose is to store information about a user during or after their visit to an online service. The stored data can include, for example, language settings on a website, a login status, a shopping cart, or the point at which a video was viewed. The term “cookies” also includes other technologies that fulfill the same functions as cookies (e.g., if user data are stored using pseudonymous online identifiers, also known as “user IDs”).

Types of Cookies and Their Functions

  • Temporary Cookies (also known as Session Cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes the browser.
  • Persistent Cookies: Persistent cookies remain stored even after closing the browser. For example, this can store login statuses or preferred content so that they are displayed immediately the next time the user visits a website. User interests, which are used for reach measurement or marketing purposes, can also be stored in such a cookie.
  • First-Party Cookies: First-party cookies are placed by us directly.
  • Third-Party Cookies: Third-party cookies are primarily used by advertisers (known as third parties) to process user information.
  • Necessary (Essential) Cookies: Cookies can be essential for the operation of a website (e.g., to store logins or other user input or for security reasons).
  • Statistical, Marketing, and Personalization Cookies: Cookies are also typically used in the context of reach measurement and when a user’s interests or behavior (e.g., viewing certain content or usage of certain features) are stored in a user profile. Such profiles help display content to users that potentially match their interests. This process is also known as “tracking,” i.e., following the potential interests of users. Whenever we use cookies or tracking technologies, we will inform you separately in this Privacy Policy or as part of obtaining consent.

Notes on Legal Bases

The legal basis upon which we process your personal data by means of cookies depends on whether we request your consent. If we do and you consent to the use of cookies, the legal basis for processing your data is your declared consent. Otherwise, data processed by means of cookies are processed on the basis of our legitimate interests (e.g., a commercially viable operation of our online offering and its improvement) or if the use of cookies is necessary to fulfill our contractual obligations.

Storage Duration: Unless we provide explicit information about the storage duration of permanent cookies (e.g., as part of a cookie opt-in), please assume that storage can last up to two years.

General Information on Revocation and Objection (Opt-Out)

Depending on whether processing is based on consent or legal permission, you have the option at any time to revoke any consent granted or to object to the processing of your data by cookie technologies (collectively referred to as “opt-out”). You can initially declare your objection using your browser settings, e.g., by disabling the use of cookies (note that disabling cookies may also limit the functionality of our online offering). You can also object to the use of cookies for online marketing purposes in many services, especially in the case of tracking, via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/. You can also find further objection instructions in the information on the service providers and cookies used in this Privacy Policy.

Processing Cookie Data on the Basis of Consent

We use a cookie consent management procedure in which users can give their consent to the use of cookies—i.e., to the processing operations and providers named in the cookie consent management procedure—and can manage and revoke this consent. As part of this procedure, the consent declaration is stored in order not to have to repeat the consent request and to be able to demonstrate consent in accordance with our legal obligations. This storage can occur on the server side and/or in a cookie (so-called opt-in cookie, or using comparable technologies) to enable the consent to be assigned to a user or their device. Unless otherwise stated for individual cookie management service providers, the following applies: The duration of storage of consent can be up to two years. A pseudonymous user identifier is created and stored together with the time of consent, information on the scope of consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and used device.

  • Data Types Processed: Usage data (e.g., web pages visited, interest in content, access times), Meta/Communication data (e.g., device information, IP addresses)
  • Data Subjects: Users (e.g., visitors to websites, users of online services)
  • Legal Bases: Consent (Art. 6(1) Sentence 1 lit. a GDPR), Legitimate Interests (Art. 6(1) Sentence 1 lit. f GDPR)

Commercial Services

We process data from our contractual and business partners, such as customers and prospective customers (collectively referred to as “contractual partners”), in the context of contractual or comparable legal relationships, as well as related measures and in the context of communication with contractual partners (or pre-contractually), e.g., to respond to inquiries.

We process this data to fulfill our contractual obligations, secure our rights, and for tasks related to these details as well as for business administration purposes. We only disclose the data of contractual partners to third parties in accordance with legal requirements if this is necessary for the aforementioned purposes or for the fulfillment of legal obligations, or if the data subjects have given their consent (e.g., to telecommunications, transport, or other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Contractual partners will be informed about further processing activities (e.g., for marketing purposes) within the scope of this Privacy Policy.

We inform contractual partners which data are required for the aforementioned purposes before or during data collection, e.g., in online forms by specific labeling (e.g., colors) or symbols (e.g., asterisks) or personally.

We delete the data after the expiration of legal warranty and comparable obligations, i.e., generally after four years, unless the data are stored in a customer account (e.g., so long as it must be retained for legal archiving purposes, generally ten years for tax purposes). Data disclosed to us by the contractual partner in connection with an order are deleted in accordance with the order specifications, generally after the end of the order.

If we use third-party providers or platforms to provide our services, the terms and conditions and privacy notices of the respective third-party providers or platforms apply in the relationship between users and the providers.

Customer Account: Contractual partners can create an account within our Online Offering (e.g., customer or user account, “customer account”). If registration is required, contractual partners will be informed accordingly, including the details required for registration. The customer accounts are not publicly visible and cannot be indexed by search engines. During registration, login, and use of the customer account, we store the IP addresses of customers and the time of each user action in order to provide evidence of registration and to prevent misuse of the customer account.

If customers terminate their customer account, their account data will be deleted unless retention is legally required. It is the responsibility of the customers to secure their data if they terminate their customer account.

Shop and E-Commerce: We process our customers’ data to enable them to select, purchase, or order the selected products, goods, and related services, as well as to pay for and deliver or perform them. If needed for the performance of an order, we use service providers (in particular postal, shipping, and delivery companies) to deliver or perform services. For payment transactions, we use the services of banks and payment service providers. The required information is marked as such during the ordering process and includes the information necessary for delivery, provision, and billing, as well as contact information for consultations as needed.

  • Data Types Processed: Inventory data (e.g., names, addresses), Payment data (e.g., bank details, invoices, payment history), Contact data (e.g., email, phone numbers), Contract data (e.g., contract subject, term, customer category), Usage data (e.g., pages visited, interest in content, access times), Meta/Communication data (e.g., device info, IP addresses)
  • Data Subjects: Prospective customers, business and contractual partners, customers
  • Purposes of Processing: Performance of contractual services and customer support, contact inquiries and communication, office and organizational procedures, management and response to inquiries, security measures
  • Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1) Sentence 1 lit. b GDPR), Legal Obligation (Art. 6(1) Sentence 1 lit. c GDPR), Legitimate Interests (Art. 6(1) Sentence 1 lit. f GDPR)

Sales via Online Marketplaces and Platforms

We offer our services on online platforms operated by other service providers. In this context, in addition to our privacy notices, the privacy notices of the respective platforms also apply. This applies in particular to the payment process and to the methods used on those platforms for reach measurement and interest-based marketing.

  • Data Types Processed: Inventory data (e.g., names, addresses), Payment data (e.g., bank details, invoices, payment history), Contact data (e.g., email, phone numbers), Contract data (e.g., contract subject, term, customer category), Usage data (e.g., pages visited, interest in content, access times), Meta/Communication data (e.g., device info, IP addresses)
  • Data Subjects: Customers
  • Purposes of Processing: Provision of contractual services and customer support
  • Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1) Sentence 1 lit. b GDPR), Legitimate Interests (Art. 6(1) Sentence 1 lit. f GDPR)

Services and Service Providers Used

  • Amazon: Online marketplace for e-commerce; Service Provider: Amazon Europe Core S.à r.l., Amazon EU S.à r.l., Amazon Services Europe S.à r.l., Amazon Media EU S.à r.l., all located at 38 avenue John F. Kennedy, L-1855 Luxembourg, as well as Amazon Instant Video Germany GmbH, Domagkstr. 28, 80807 Munich (together “Amazon Europe”); parent company: Amazon.com, Inc., 2021 Seventh Ave, Seattle, Washington 98121, USA; Website: https://www.amazon.de/; Privacy Policy: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010.

Payment Procedures

In the context of contractual and other legal relationships, as well as on the basis of legal obligations or our legitimate interests, we offer data subjects efficient and secure payment options and use additional service providers in addition to banks and credit institutions (collectively referred to as “payment service providers”).

The data processed by the payment service providers includes inventory data such as name and address, bank data such as account numbers or credit card numbers, passwords, TANs and checksums, and the contract, sum, and recipient-related details. These details are required to carry out transactions. However, they are processed solely by the payment service providers and stored with them. In other words, we do not receive any account or credit card related information, only information confirming (or refusing) payment. Under certain circumstances, payment service providers may transmit data to credit agencies. This transmission is intended to verify identity and creditworthiness. For further information, please refer to the terms and conditions and privacy policies of the payment service providers.

For the payment transactions, the terms and conditions and the privacy policies of the respective payment service providers, available on their websites or transaction applications, apply. Please also refer to them for more information on asserting revocation, disclosure, and other data subject rights.

  • Data Types Processed: Inventory data (e.g., names, addresses), Payment data (e.g., bank details, invoices, payment history), Contract data (e.g., contract subject, term, customer category), Usage data (e.g., pages visited, interest in content, access times), Meta/Communication data (e.g., device info, IP addresses)
  • Data Subjects: Customers, prospective customers
  • Purposes of Processing: Provision of contractual services and customer support
  • Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1) Sentence 1 lit. b GDPR), Legitimate Interests (Art. 6(1) Sentence 1 lit. f GDPR)

Services and Service Providers Used


Provision of the Online Offering and Web Hosting

To provide our Online Offering securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers they manage) our Online Offering can be accessed. These services may include infrastructure and platform services, computing capacity, storage space, and database services, as well as security services and technical maintenance services.

All user data of our Online Offering may be processed in the course of the provision of the hosting services. This includes regularly the IP address, which is necessary for delivering the contents of online services to browsers, and all entries made within our Online Offering or on websites.

Collection of Access Data and Log Files: We (or our web hosting provider) collect data on every access to the server (so-called server log files). Server log files may include the address and name of the retrieved web pages and files, the date and time of retrieval, the volume of data transferred, a message about a successful retrieval, browser type and version, the user’s operating system, the referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider.

Server log files may be used for security purposes—e.g., to prevent server overload (particularly in cases of misuse, known as DDoS attacks)—and to ensure server utilization and stability.

  • Data Types Processed: Content data (e.g., entries in online forms), Usage data (e.g., web pages visited, interest in content, access times), Meta/Communication data (e.g., device information, IP addresses)
  • Data Subjects: Users (e.g., website visitors, users of online services)
  • Purposes of Processing: Provision of our Online Offering and user-friendliness, performance of contractual services and customer support
  • Legal Bases: Legitimate Interests (Art. 6(1) Sentence 1 lit. f GDPR)

Services and Service Providers Used


Registration, Login, and User Account

Users can create a user account. During registration, users are provided with the required mandatory information, which is processed to provide the user account on the basis of contractual obligations. This typically includes login information (username, password, and an email address).

In connection with the use of our registration and login functions and the use of the user account, we store the IP address and the time of each user action. This storage is based on our legitimate interests and those of the users in protecting against misuse and unauthorized use. Such data will not be passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation.

Users may be informed by email about processes that are relevant to their user account, such as technical changes.

Deletion of data upon termination: If users terminate their user account, their data relating to the user account will be deleted, unless retention is required by law, allowed by law, or agreed by the users. It is the users’ responsibility to secure their data before the end of the contract if they terminate the user account. We have the right to irretrievably delete all user data stored during the contract term.

  • Data Types Processed: Inventory data (e.g., names, addresses), Contact data (e.g., email, telephone numbers), Content data (e.g., entries in online forms), Meta/Communication data (e.g., device information, IP addresses)
  • Data Subjects: Users (e.g., website visitors, users of online services)
  • Purposes of Processing: Performance of contractual services and customer support, security measures, management and response to inquiries
  • Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1) Sentence 1 lit. b GDPR), Legitimate Interests (Art. 6(1) Sentence 1 lit. f GDPR)

Contact and Inquiry Management

When contacting us (e.g., via contact form, email, telephone, or social media) and within the framework of existing user and business relationships, the data of the inquiring individuals is processed to the extent necessary to respond to the contact inquiries and any requested measures.

Responding to contact inquiries and managing contact and inquiry data in the context of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to respond to (pre)contractual inquiries. Otherwise, it is based on our legitimate interests in responding to inquiries and maintaining user or business relationships.

  • Data Types Processed: Inventory data (e.g., names, addresses), Contact data (e.g., email, phone numbers), Content data (e.g., entries in online forms)
  • Data Subjects: Communication partners
  • Purposes of Processing: Contact inquiries and communication
  • Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1) Sentence 1 lit. b GDPR), Legitimate Interests (Art. 6(1) Sentence 1 lit. f GDPR)

Web Analysis, Monitoring, and Optimization

Web analysis (also known as “reach measurement”) is used to evaluate the flow of visitors to our Online Offering and may include behavior, interests, or demographic information about visitors such as age or gender—collected as pseudonymous values. With the help of reach analysis, we can, for example, identify at which times our Online Offering or its features or content are most frequently used or encourage reuse. We can also see which areas need optimization.

In addition to web analysis, we may use test methods to, for example, test and optimize different versions of our Online Offering or its components.

For these purposes, so-called user profiles may be created and stored in a file (a “cookie”) or similar procedures may be used with the same purpose. These details can include viewed content, pages visited, and elements used on them, as well as technical information such as the browser used, the computer system, and information about usage times. If users have consented to the collection of their location data, then these may also be processed, depending on the provider.

Users’ IP addresses are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear (e.g., email addresses or names) data of the users are stored during web analysis, A/B testing, and optimization, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, only the information stored in their profiles for the purposes of the respective procedures.

Notes on Legal Bases: Where we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, the data of users is processed on the basis of our legitimate interests (i.e., our interest in user-friendly, economic, and beneficial services). In this context, we would also like to draw your attention to the information regarding the use of cookies in this Privacy Policy.

  • Data Types Processed: Usage data (e.g., web pages visited, interest in content, access times), Meta/Communication data (e.g., device information, IP addresses)
  • Data Subjects: Users (e.g., website visitors, users of online services)
  • Purposes of Processing: Reach measurement (e.g., access statistics, recognition of returning visitors), profiles with user-related information (creation of user profiles)
  • Security Measures: IP masking (pseudonymization of the IP address)
  • Legal Bases: Consent (Art. 6(1) Sentence 1 lit. a GDPR), Legitimate Interests (Art. 6(1) Sentence 1 lit. f GDPR)

Services and Service Providers Used


Social Media Presences (Social Networks)

We maintain online presences in social networks and process user data in this context to communicate with the users active there or to offer information about us.

Please note that user data may be processed outside the European Union. This may present risks to users because, for example, it may be more difficult to enforce users’ rights.

Furthermore, user data in social networks are generally processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and the resulting interests of the users. Such profiles can be used to deliver advertisements, both within and outside the networks, that are presumably in line with the users’ interests. For these purposes, cookies containing data about user behavior and interests are normally stored on the users’ computers. Additionally, data can also be stored in the user profiles independent of the devices used (especially if the users are members of the respective platforms and logged in to them).

For a detailed description of the respective forms of processing and the opt-out options, please refer to the privacy policies and information of the operators of the respective networks.

Also, in the case of requests for information and the assertion of data subject rights, we point out that these rights can be most effectively exercised with the providers themselves. Only the providers have access to the user data and can take direct action and provide information. However, if you need help, please feel free to contact us.

Facebook: We share responsibility with Facebook Ireland Ltd. for the collection (but not further processing) of data from visitors to our Facebook page (the so-called “Fanpage”). These data include information about the types of content users view or interact with, or the actions taken by them (see “Things done and provided by you and others” in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by the users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see under “Device Information” in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services known as “Page Insights” to page operators, so they can gain insights into how people interact with their pages and the content associated with them. We have concluded a specific agreement with Facebook (“Information about Page Insights,” https://www.facebook.com/legal/terms/page_controller_addendum) that particularly defines which security measures Facebook must observe and in which Facebook agrees to fulfill the rights of data subjects (i.e., users can, for example, address requests for information or deletion directly to Facebook). Users’ rights (in particular to information, deletion, objection, and complaints to the competent supervisory authority) are not limited by the agreements with Facebook. For further information, see “Information about Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data).

  • Data Types Processed: Contact data (e.g., email, phone numbers), content data (e.g., entries in online forms), usage data (e.g., pages visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses)
  • Data Subjects: Users (e.g., website visitors, users of online services)
  • Purposes of Processing: Contact requests and communication, feedback (e.g., collecting feedback via online form), marketing
  • Legal Bases: Legitimate Interests (Art. 6(1) Sentence 1 lit. f GDPR)

Services and Service Providers Used


Plugins and Embedded Functions as well as Content

We embed into our Online Offering functional and content elements that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may, for example, include graphics, videos, or city maps (hereinafter referred to uniformly as “Content”).

Such integration always requires that the third-party providers of this Content process the users’ IP addresses, as they would not be able to send the Content to their browsers otherwise. The IP address is thus necessary for the display of such Content or functionalities. We endeavor to use only such Content whose respective providers only use the IP address to deliver the Content. Third-party providers may also use pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may be stored in cookies on the user’s device and may include technical information about the browser and operating system, referring websites, visit time, and other details about the use of our Online Offering, as well as being linked to such information from other sources.

Notes on Legal Bases: If we ask users for their consent to use third-party providers, the legal basis of processing data is consent. Otherwise, user data are processed based on our legitimate interests (i.e., interest in providing efficient, cost-effective, and user-friendly services). In this context, please also see the information on cookies in this Privacy Policy.

Facebook Plugins and Content: We share responsibility with Facebook Ireland Ltd. for the collection or receipt within a transfer (but not further processing) of “Event Data” that Facebook collects or receives through Facebook social plugins (and embedding features for content) running on our Online Offering for the following purposes: (a) displaying content and advertising information likely matching users’ interests, (b) delivering commercial and transactional messages (e.g., contacting users via Facebook Messenger), and (c) improving ad delivery and personalizing features and content (e.g., improving recognition of what content or advertising might match users’ interests). We have entered into a special agreement (“Controller Addendum,” https://www.facebook.com/legal/controller_addendum) with Facebook, which specifies, in particular, which security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook agrees to fulfill the rights of data subjects (i.e., users can, for example, address requests for information or deletion directly to Facebook). Note: If Facebook provides us with metrics, analyses, and reports (which are aggregated, i.e., do not contain any information about individual users and are anonymous to us), this processing is not performed under joint responsibility but on the basis of a data processing agreement (“Data Processing Terms,” https://www.facebook.com/legal/terms/dataprocessing), the “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_terms) and, regarding processing in the USA, on the basis of Standard Contractual Clauses (“Facebook EU Data Transfer Addendum,” https://www.facebook.com/legal/EU_data_transfer_addendum). Users’ rights (in particular to information, deletion, objection, and complaints to the competent supervisory authority) are not restricted by these agreements with Facebook.

Instagram Plugins and Content: We share responsibility with Facebook Ireland Ltd. for the collection or receipt within a transmission (but not further processing) of “Event Data” that Facebook collects or receives through functions of Instagram (e.g., embedding functions for content) running on our Online Offering, for the following purposes: (a) displaying content and advertising information that presumably matches the users’ interests, (b) delivering commercial and transactional messages (e.g., contacting users via Facebook Messenger), and (c) improving ad delivery and personalizing functions and content (e.g., improving recognition of which content or advertising might match users’ interests). We have entered into a special agreement (“Controller Addendum,” https://www.facebook.com/legal/controller_addendum) with Facebook, which specifies, in particular, which security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook agrees to fulfill the rights of data subjects (i.e., users can, for example, address requests for information or deletion directly to Facebook). Note: If Facebook provides us with metrics, analyses, and reports (aggregated, i.e., containing no information about individual users and thus anonymous to us), then this processing does not take place under joint responsibility but on the basis of a data processing agreement (“Data Processing Terms,” https://www.facebook.com/legal/terms/dataprocessing), the “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_terms) and, regarding processing in the USA, on the basis of Standard Contractual Clauses (“Facebook-EU Data Transfer Addendum,” https://www.facebook.com/legal/EU_data_transfer_addendum). Users’ rights (in particular to information, deletion, objection, and complaints to the competent supervisory authority) are not restricted by these agreements with Facebook.

  • Data Types Processed: Usage data (e.g., web pages visited, interest in content, access times), Meta/Communication data (e.g., device information, IP addresses), Event Data (Facebook) (i.e., data that can be transmitted to Facebook via the Facebook Pixel (through apps or other means) relating to individuals or their actions. Examples: website visits, interactions with content, features, installing apps, purchasing products, etc. These data are processed to create target groups for content and advertising (Custom Audiences). Event Data do not contain the actual content of communications (such as written comments), login details, or contact information (e.g., names, email addresses, phone numbers). Facebook deletes Event Data after a maximum of two years; target groups formed from them will be deleted if we delete our Facebook account.)
  • Data Subjects: Users (e.g., website visitors, users of online services)
  • Purposes of Processing: Provision of our Online Offering and user-friendliness, performance of contractual services and customer support, marketing, profiles with user-related information (creation of user profiles)
  • Legal Bases: Legitimate Interests (Art. 6(1) Sentence 1 lit. f GDPR), Consent (Art. 6(1) Sentence 1 lit. a GDPR)

Services and Service Providers Used


Changes and Updates to the Privacy Policy

We kindly ask you to regularly review the content of our Privacy Policy. We will adapt the Privacy Policy as soon as the changes in our data processing activities make this necessary. We will inform you if such changes require an act of cooperation from you (e.g., consent) or other individual notification.

Insofar as we include addresses and contact information of companies and organizations in this Privacy Policy, please note that these addresses may change over time and check the information before contacting them.


Rights of Data Subjects

As a data subject, you have various rights under the GDPR, in particular those set out in Articles 15 to 21 GDPR:

  1. Right to Object: You have the right, on grounds arising from your particular situation, to object at any time to the processing of your personal data that is based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions. If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, including profiling to the extent that it is related to such direct marketing.
  2. Right to Withdraw Consent: You have the right to withdraw any consent given at any time.
  3. Right of Access: You have the right to request confirmation as to whether data concerning you are being processed and to obtain information about these data and any additional information and a copy of the data in accordance with legal requirements.
  4. Right to Rectification: You have the right, in accordance with legal requirements, to request that any inaccurate data about you be corrected or that incomplete data be completed.
  5. Right to Erasure and Restriction of Processing: You have the right, in accordance with legal requirements, to demand that data relating to you be erased immediately, or alternatively, in accordance with legal requirements, to demand restriction of the processing of your data.
  6. Right to Data Portability: You have the right to receive the data you have provided to us in a structured, commonly used, and machine-readable format in accordance with legal requirements, or to request their transfer to another controller.
  7. Right to Lodge a Complaint with a Supervisory Authority: You have the right, without prejudice to any other administrative or judicial remedy, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged violation, if you believe that the processing of your personal data infringes the GDPR.

Definition of Terms

This section provides an overview of the terminology used in this Privacy Policy. Many of the terms are taken from the law and defined primarily in Art. 4 GDPR. The legal definitions are binding. The following explanations, however, aim to aid understanding. The terms are listed in alphabetical order.

  • IP Masking: “IP Masking” refers to a method in which the last octet, i.e., the last two numbers of an IP address, is deleted so that the IP address can no longer be used to uniquely identify a person. Therefore, IP masking is a means of pseudonymizing processing procedures, especially in online marketing.
  • Personal Data: “Personal data” are all information relating to an identified or identifiable natural person (hereinafter “data subject”). A natural person is considered identifiable if they can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Profiles with User-Related Information: The processing of “profiles with user-related information” or “profiles” for short involves any type of automated processing of personal data that uses those personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the nature of the profiling, this can include different information concerning demographics, behavior, and interests such as interaction with websites and their content, etc.). Cookies and web beacons are often used for profiling.
  • Reach Measurement: Reach measurement (also called web analytics) is used to evaluate the flow of visitors to an Online Offering and can include the behavior or interests of visitors in certain information, such as website content. Using reach analysis, website owners can, for example, determine at what time visitors use their site and what content they are interested in. This allows them to better tailor site content to visitors’ needs. Pseudonymous cookies and web beacons are often used for reach analysis to recognize returning visitors and thus obtain more accurate analyses of the use of an Online Offering.
  • Controller: A “controller” is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: “Processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers practically all handling of data, be it collection, evaluation, storage, transmission, or deletion.

Social Media

  • Facebook
  • Instagram

Language
English