Please also note: You can find our General Terms and Conditions at: https://www.socialsweethearts.de/terms-en

Introduction

This Privacy Policy informs you about the type, scope and purpose of the processing of personal data (hereinafter referred to as "data") in the context of the provision of our range of services and on our websites, mobile applications, functions and contents connected with them as well as external online representations, e.g. Social Media Profiles (hereinafter collectively referred to as "Services"):

In the second section you will find information about your rights, the relevant legal standards and general information about our data processing.
The third section contains information on the individual processing operations. This section is divided into further areas, such as our key services, reach measurement or marketing.
The fourth and final section contains explanations and descriptions of the terms used in this Privacy Policy. This means that if you do not know the terms used (e.g. "personal data" or "cookie"), please refer to the last section. All terms used (e.g. "responsible" or "user") are to be understood gender-neutral.

Section I – Controller and Overview of Data Processing

Controller

social sweethearts GmbH

Karl-Valentin-Str. 17,

D-82031 Gruenwald

Germany

E-Mail: team@socialsweethearts.de

Tel.: +49 (0)211 436 91166

Complete legal information:: http://www.socialsweethearts.de/en_US/imprint

The Controller is hereinafter also referred to as "we" or "us".

Data Protection Officer

Dr. Thomas Schwenke, E-Mail: DSB@extern.socialsweethearts.de.

Description of our services and objectives

social sweethearts offers online services for entertainment purposes, such as games, puzzles, personality tests or quizzes.

Type of processed data:

Inventory Data (e.g., names, addresses).
Contact details (e.g., e-mail, phone numbers).
Content Data (e.g., text input, photographs, videos).
Contract Data (e.g., subject matter of the contract, duration).
Usage Data (e.g., interests, websites visited, usage behaviour, access times, log data).
Meta/communication Data (e.g., IP addresses).
Job candidate Data (e.g., names, contact details, qualifications, job application documents).

Processing of special categories of Data (Art. 9 (1) GDPR)

No special categories of Data are processed.

Categories of data subjects

Controllers / interested Parties / users of the Controller.
Controller's employees.
Suppliers of the Controller.

In the following, we will also summarise the data subjects as "users".

Purpose of Processing

Provision of our services, its contents and functions.
Provision of contractual services and customer care.
Response to service, contact requests and other communication with users.
Marketing, advertising and market research.
Security measures.

Automated individual decision-making (Art. 22 GDPR):

We do not use exclusively automated individual decision-making.

As of: March 2024

Table of Contents

Introduction

Section I – Controller and Overview of Data Processing

Controller

Data Protection Officer

Description of our services and objectives

Type of processed data:

Processing of special categories of Data (Art. 9 (1) GDPR)

Categories of data subjects

Purpose of Processing

Automated individual decision-making (Art. 22 GDPR):

Section II - Rights of data subjects, legal basis for the processing and general information

Rights of Data Subjects

Right of Withdrawal

Right to Object

Cookies and Right to Object in Direct Marketing

Solely Automated individual decision-making

Erasure of data and archiving obligations

Changes and Updates to this Privacy Policy

Relevant Legal Basis for the Processing;

Security of Data Processing

Disclosure and Transmission of Data

Transfers to Third Countries

Section III - Processing operations

The Key Area of Data Processing

Contractual services (e.g. Nametests, testony, Trivia Pearls, Sweet Puzzles, apost)

Mobile Applications (Sticker test and Storytest)

Purchase of applications via Appstores

Push notifications

Cookie-Management with Sourcepoint

PURE-subscription by contentpass

Single sign-on authentication with Facebook

Answering Inquiries and Communication via Freshdesk

Answering Inquiries and User Service

Administration, Financial Accounting, Office Organization, Archiving

Business and market research

Typeform

Data protection information for Job Candidates

Application process

Campusjäger by Workwise (Application process)

Workable (Application process)

Application Process - Talent Pool

Wellfound (formerly AngelList (angel.co))

BambooHR

Deel

We use an international recruitment and payroll service offered by Deel.

Webserver and Security

Amazon Web Services

Cloudflare

Godaddy

Google Suite and Google Cloud

MongoDB Atlas

Raygun

SolarWinds Worldwide, LLC (Pingdom and Papertrail)

Sophos Managed Detection and Response

Embedded content and functions

Ex.co (former Playbuzz) content distribution

Facebook Features and Content

Giphy features and content

Google Services and Content

Imgur features and content

Instagram Features and Contents

Pinterest features and content

Reddit features and content

Rumble features and content

TikTok features and content

Twitter features and content

video intelligence video player

Sharing graphics with Snapchat

WhatsApp features and content

External online profiles

Online Presences in Social Media

Organization and Marketing

ADYOULIKE

Amazon Publisher Services

Harvest (Iridesco, LLC)

Hootsuite

Taboola

Teads content distribution

Yieldlove

Newsletter Mailing and Performance Measurement

Communication via Mail, E-Mail, Fax or Telephone

Sweepstakes and Competitions

Optimization

Amazon Personalize

Google Firebase

Web analytics, online marketing and technology partners

Facebook Pixels and Custom Audiences

Profiles in Social Networks (Social Media)

Section IV - Definitions

Section II - Rights of data subjects, legal basis for the processing and general information

Rights of Data Subjects

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the further information and a copy of the data in accordance with Art. 15 GDPR.

You have correspondingly. In accordance with Article 16 of the GDPR, the right to obtain from the controller the rectification of inaccurate personal data concerning you, or the completion of the data concerning you.

In accordance with Art. 17 GDPR, you have the right to demand that relevant data be erased without undue delay or, alternatively, to demand a restriction of the processing of the data in accordance with Art. 18 GDPR.

You have in accordance with Art. 20 GDPR the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.

In accordance with Art. 77 GDPR, you also have the right to file a complaint with the a supervisory authority.

Right of Withdrawal

You have the right to withdraw consents granted pursuant to Art. 7 (3 GDPR with effect for the future.

Right to Object

You can object to the future processing of the data concerning you in accordance with Art. 21 GDPRat any time. The objection may be lodged in particular against processing for direct marketing purposes.

Cookies and Right to Object in Direct Marketing

We use temporary and permanent cookies, i.e. small files that are stored on the user's devices (for the explanation of the term and function, see last section of this Privacy Policy). In part, cookies serve security purposes or are required for the operation of our online services (e.g., for the appearance of the website) or to save the user's decision when confirming a cookie banner. In addition, we or our technology partners use cookies to measure the reach and for marketing purposes, about which the users will be informed in the scope of the Privacy Policy.

Consent management (apost.com)

We participate in the IAB Europe Transparency & Consent Framework and comply with its specifications and guidelines. For this purpose, we use the Consent Management Platform (CMP) of Sourcepoint Technology Inc, 228 Park Ave S #87903, New York 10003-1502, USA as a processor. Within the framework of the IAB Europe Transparency & Consent Framework, Sourcepoint has the identification number 6. Sourcepoint's CMP enables you to give us consent to the processing of your data in accordance with data protection regulations and to revoke this consent at any time. You can also object to data processing based on our legitimate interest. You can find an overview of your setting options, the purposes and integrated third parties via the text link "Consent Management" at the bottom of the page on apost.com.

Further objection options

If users do not want cookies to be stored on their computer, they are advised to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online services.

An objection to the use of cookies used for online marketing purposes can be declared for many of the services, especially in the case of tracking, via the US site http://www.aboutads.info/choices/, the EU site http://www.youronlinechoices.com/ or in general http://optout.aboutads.info.

Furthermore, the storage of cookies can be prevented by deactivating them in the browser settings. Please note that in this case not all functions of out online service can be used.

Solely Automated individual decision-making

In accordance with Art. 22 GDPR, you have the right not to be subject to a decision based exclusively on automated processing - including profiling - which has legal effect concerning you or similarly significantly affects you.

We inform you that we do not use exclusively automated individual decision-making.

Erasure of data and archiving obligations

The data processed by us will be erased or its processing restricted in accordance with Articles 17 and 18 GDPR. Unless expressly stated in this Privacy Policy, the data stored by us will be erased as soon as it is no longer required for its intended purpose and there are no legal obligations to retain it. If the data are not erased because they are necessary for other and legally permissible purposes, their processing is restricted. This means that the data is excluded and not processed for other purposes. This applies, for example, to data that must be retained for commercial or taxation reasons.

In accordance with statutory requirements, the records shall be kept for 6 years in particular in accordance with § 257 (1) German Commercial Code (trading books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc.) and for 10 years in accordance with § 147 (1) German Financial Act (books, records, management reports, accounting documents, commercial and business letters, documents relevant to taxation, etc.).

Processes relating to the assertion of the rights of data subjects, will be stored for up to three years beginning after the end of the year in which they were concluded, on the basis of legitimate interests, in order to enable us to prove that they have been properly processed.

Changes and Updates to this Privacy Policy

We ask you to keep yourself regularly informed about the contents of our Privacy Policy. We will adapt the Privacy Policy as soon as any changes in data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

Relevant Legal Basis for the Processing;

In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not explicitly stated in the Privacy Policy, the following applies: The legal basis for obtaining consents is Art. 6 (1) lit. a and Art. 7 GDPR, the legal basis for processing for the performance of our services and performance of contractual measures as well as for answering inquiries is Art. 6 (1) lit. b GDPR, the legal basis for processing to fulfil our legal obligations is Art. 6 (1) lit. c GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 (1) lit. f GDPR. In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.

The principles for commercial communications outside of business relations, in particular by post, telephone, fax and e-mail, are contained in § 7 of the German Unfair Competition Act (UWG).

Security of Data Processing

We shall take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons; the measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transfer, integrity and pseudonymity. Furthermore, we have established procedures that guarantee the assertion of data subjects' rights, the erasure of data and the response to data hazards. Furthermore, we already consider the protection of personal data during the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design of technology and by data protection-friendly presettings (Art. 25 GDPR).

The security measures include in particular the encrypted transmission of data between your browser and our server.

Employees are bound to confidentiality with regard to data protection, are instructed, monitored, and informed of possible liability consequences.

Disclosure and Transmission of Data

If we disclose data to other persons and companies (processors or third parties) within the scope of our processing, transfer the data to them or otherwise grant them access to the data, this will only be carried out on the basis of a legal permission (e.g. if a transfer of the data to third parties, such as to payment service providers, is required for contract fulfilment pursuant to Art. 6 (1), lit. b GDPR), if you have consented, if a legal obligation requires this or on the basis of our legitimate interests (e.g. when using agents, web hosting services, etc.).

If we commission third parties with the processing of data on the basis of a so-called " Data Processing Agreement", this is done on the basis of Art. 28 GDPR.

If we disclose, transfer or otherwise grant access to data to other companies in our Group of Companies (Undertakings), this is done in particular for administrative purposes as a legitimate interest and in addition on the basis of an Data Processing Agreement.

Transfers to Third Countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure or transmission of data to third parties, this only takes place if it is necessary to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or let the data being processed in a third country only if the special requirements of Art. 44 ff. GDPR are met. This means, for example, processing is carried out on the basis of special guarantees, such as the officially recognised adequate data protection level corresponding to the EU or compliance with officially recognised special contractual obligations (so-called "Standard Contractual Clauses").

Section III - Processing operations

The following section provides an overview of our processing activities, which we have subdivided into other areas of operation. Please note that the areas of operation are for guidance only and that processing activities may overlap (e.g. the same data may be processed in several operations).

For reasons of clarity and comprehensibility, you will find the frequently repeated terms in Section IV of this data protection declaration.

The Key Area of Data Processing

In this section you will find information on our key services and operations, such as responding to enquiries and providing our contractual services as well as the associated ancillary tasks.

Contractual services (e.g. Nametests, testony, Trivia Pearls, Sweet Puzzles, apost)

We process the data of our customers within the scope of our services in order to provide our contractual services. We receive the data either through user input or when users expressly consent to provide us with data via an interface to Facebook. Furthermore, data resulting from the use of our services are processed (so-called usage or metadata, such as functions and content used or information on user devices).

If we evaluate the interests or behaviour of users, this will lead to a needs-oriented design of our Online Services.

For example, users are provided with content or functions that correspond to the content and functions previously used. For this purpose, we use data that we obtain about users in accordance with this Privacy Policy and analyse it with the aid of algorithmic functions. This analysis is only for our purposes, the results will not be passed on to third parties.

Nametests: First name or player name, app-specific ID, language (locale), gender (guessed based on first name and language), player’s profile or avatar picture (we use the profile picture on result graphics, which the user can share); no access to friends list/ friends' data; no e-mail addresses of users are processed and stored. (more Details and FAQ)

Testony.com and Stickertest.com : First name (if provided by user), gender, language; no access to friends list/ friends' data; no e-mail addresses of users are processed and stored.

Trivia Pearls: First name or player name and player’s profile or avatar picture (we use the profile picture on result graphics, which the user can share); Friends and connections: The first names of Facebook friends and Messenger connections who also play this game; Language (locale); app-specific player ID; no e-mail addresses of users are processed and stored.

Sweet Puzzles: First name or player name and player’s profile or avatar picture (we use the profile picture for/on result and/or puzzle graphics, which the user can play as puzzle and/or share); Language (locale); gender (guessed based on first name and language), app-specific player ID; no e-mail addresses of users are processed and stored. (Details)

apost: apost is an information portal, the use of which does not require the entry of user data and neither access to Facebook profiles of users nor their e-mail addresses.

Data processed: Inventory data (e.g. first name, profile picture, gender, app scope ID, language), Contact details (e.g. information provided by the user), Content data (e.g. texts, graphics, videos. For clarification: your text input or menu choices in Nametests or testony games are not saved. They’re only used for the creation of your result image), Usage data (e.g. interest in functions, frequency of use), Metadata/device data (e.g. IP address).
Special categories of personal data: In general, no special categories of data are processed unless they are submitted by the user.
Data subjects: Users of our Services.
Purpose of Processing: Provision of our Online Services, their contents and their functions.
Legal basis: Art. 6 (1) b GDPR (performance of contractual services), Art. 6 (1) f GDPR (Processing of the interests and behaviour of the users for the purpose of identifying content that is likely to be of interest to the users; security; marketing).
External disclosure and purpose: For hosting purposes please refer to the section hosting within this privacy policy; furthermore, we work together with various technological partners who, for example, display advertisements on the basis of user data. We make sure that the user's data is pseudonymised (e.g. no clear data s) and that users have simple rights of revocation at their disposal. We also conclude special data protection agreements with our partners, in which they commit themselves to the protection of user data.
Processing in third countries: The data are also processed outside the EU/EEA, whereby we explain this during the respective processing within the scope of this data protection declaration and communicate which guarantees serve as a basis for processing in third countries..
Deletion of data: User Data will only be stored for as long as necessary; When possible and feasible, users should be enabled to delete User Data by themselves; User Data will be also deleted when the contractual basis or/and authority of the contractual partners or APIs (e.g., Facebook’s) on the basis of which User Data was obtained has been removed, unless the retention of the respective data is explicitly permitted. User Data will be deleted when users delete or terminate their user account and/or request its termination; In this case, all user data must be deleted, unless the data is necessary to prove a later contractual relationship with the user on the basis of accountability (this includes the name of the user,, as well as the time of registration and termination and the IP addresses used by the user). Result images in Nametests are stored for 7 days and then deleted. In the case of inactivity in instant games, user data will be deleted typically after 10 days (Nametests and testony), after two years at the latest (Challenge Your Friends). Further, data may be excluded from deletion if necessary, e.g. to serve as proof in ongoing legal proceedings or if the retainment is imposed by statutory provisions or authorities. The storage of data after the end of the contract is based on legitimate interests in accordance with Art. 6 para. 1 letter f GDPR to comply with legal requirements and to protect entrepreneurial interests. In accordance with statutory provisions in Germany, the User Data may be kept for 10 years in accordance with Sections 147 (1) German Financial Act (AO) , Sections 257 (1) No. 1 and 4, (4) German Commercial Code (HGB) (when it is a part of books, records, management reports, accounting documents, trading books, documents relevant to taxation, etc.) and for 6 years in accordance with Sections 257 (1) No. 2 and 3, (4) HGB (when it is a part of commercial letters). Instead of deletion, user data can be anonymized, in particular aggregated to summarized values. However, this is only permitted if this does not contradict any other provisions, e.g. contractual provisions of partners or provisions for the use of APIs.The requirement to retain user data is checked annually. If the data are not deleted because they are necessary for other and legally permissible purposes, their processing must be restricted. This means that the data is excluded and not processed for other purposes.

Mobile Applications (Sticker test and Storytest)

We process the data of the users of our applications to the extent necessary to provide the users with the applications and its functionalities, to monitor its security and to develop it further. Furthermore, we may contact users in compliance with the statutory provisions if communication is necessary for the purposes of administration or use of the applications. In addition, we refer to the data protection information in this privacy policy with regard to the processing of user data.

Legal basis: The processing of data necessary for the provision of the functionalities of the applications serves to fulfil contractual obligations. This also applies if the provision of the functions requires user authorisation (e.g. release of device functions). If the processing of data is not necessary for the provision of the functionalities of the applications, but serves the security of the applications or our business interests (e.g. collection of data for the purpose of optimising the applications or security purposes), it is carried out on the basis of our legitimate interests. If users are expressly requested to give their consent to the processing of their data, the data covered by the consent is processed on the basis of the consent.

Device permissions for access to functions and data: The use of our applications or their functionalities may require user authorizations to access certain functions of the devices used or to access data stored on or accessible through the devices. By default, these authorizations must be granted by the users and can be revoked at any time in the settings of the respective devices. The exact procedure for controlling application permissions may vary depending on the device and software used by the users. Users can contact us if they require further explanation. We would like to point out that the refusal or revocation of the respective authorizations can affect the functionality of our applications.

Processed data types: Selected language and gender (will be stored on mobile devices and deleted from the devices after uninstalling the applications); names and other content user entries, if they are required to create image content or other results (will be deleted after the purpose is fulfilled, can also be entered pseudonymously); created images/graphics and other results (will only be stored in the case of NEW PROJECT for a maximum of seven days and then deleted on our servers; with regard to the storage of content shared or created by users outside of our applications, we refer to the data protection regulations of the respective social media platforms or other recipients of these results); names, e-mail addresses and location data of users are not stored by us. The IP address is stored only for the purpose of providing the service and as part of the server log data together with the time the application is accessed for up to 7 days for security purposes
Purposes of Processing: Provision of contractual services and customer support.
Legal Basis: Consent (Article 6 (1) (a) GDPR), Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).

Processing of data by services that are integrated within the application (Within the applications we use the following services and point out the supplementary or linked data processing information):

Cloudflare (Storytest, Sticker Test).
Google Firebase (Storytest, Sticker Test).
Branch Metrics, Inc. (Sticker Test).
Google AdMob (Storytest, Sticker Test).
Raygun (Storytest, Sticker Test).
Sharing graphics with Snapchat (Sticker Test).
Twitter sharing buttons (Sticker Test web version)
Snap Kit: With the help of Snapchat's "kits," we can use Snapchat content such as Bitmojies or Stories, with users' consent, or give users the opportunity to sign in to our online services using their Snapchat login information. Service provider: Snap Inc., 3000 31st Street, Santa Monica, California 90405, USA; Website: https://kit.snapchat.com/; Privacy Policy: https://www.snap.com/en-US/privacy/privacy-policy, Cookie-Richtlinie: https://www.snap.com/de-DE/cookie-policy; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://businesshelp.snapchat.com/en-US/article/standard-contractual-clauses.
Facebook SDK (Storytest): Privacy Policy: https://www.facebook.com/policy.php; Information on joint control: We are jointly responsible (so-called "joint-controllership") with Meta Platforms Ireland Limited for the collection or transmission (but not the further processing) of "event data" that Facebook collects or receives as part of a transmission for the following purposes using the Facebook pixel and comparable functions (e.g. APIs) that are implemented in our online services: a) displaying content advertising information that matches users' presumed interests; b) delivering commercial and transactional messages (e.g. b) delivering commercial and transactional messages (e.g., addressing users via Facebook Messenger); c) improving ad delivery and personalizing features and content (e.g., improving recognition of which content or advertising information is believed to be of interest to users). We have entered into a special agreement with Facebook ("Controller Addendum", https://www.facebook.com/legal/controller_addendum), which specifically addresses the security measures that Facebook must take (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to comply with the rights of data subjects (i.e., users can, for example, submit information access or deletion requests directly to Facebook). Note: If Facebook provides us with measurements, analyses and reports (which are aggregated, i.e. do not contain information on individual users and are anonymous to us), then this processing is not carried out within the scope of joint responsibility, but on the basis of a DPA ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing), the "Data Security Conditions" (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the USA, on the basis of Standard Contractual Clauses ("Facebook EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of users (in particular to access to information, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook.

Purchase of applications via Appstores

The purchase of our apps is done via special online platforms operated by other service providers (so-called "appstores"). In this context, the data protection notices of the respective appstores apply in addition to our data protection notices. This applies in particular with regard to the methods used on the platforms for webanalytics and for interest-related marketing as well as possible costs.

Processed data types: Inventory data (e.g. names, addresses), Payment Data (e.g. bank details, invoices, payment history), Contact data (e.g. e-mail, telephone numbers), Contract data (e.g. contract object, duration, customer category), Usage data (e.g. websites visited, interest in content, access times), Meta/communication data (e.g. device information, IP addresses).
Data subjects: Customers.
Purposes of Processing: Provision of contractual services and customer support.
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).

Services and service providers being used:

Apple App Store: App and software distribution platform; Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Website: https://www.apple.com/ios/app-store/; Privacy Policy: https://www.apple.com/privacy/privacy-policy/.
Google Play: App and software distribution platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://play.google.com/store/apps?hl=en; Privacy Policy: https://policies.google.com/privacy.

Push notifications

With the consent of the users, we can send the users so-called "push notifications". These are messages that are displayed on users' screens, devices or browsers, even if our online services are not being actively used.

In order to sign up for push messages, users must confirm that their browser or device has requested to receive push messages. This approval process is documented and stored. The storage is necessary to recognize whether users have consented to receive the push messages and to be able to prove their consent. For these purposes, a pseudonymous identifier of the browser (so-called "push token") or the device ID of a terminal device is stored.

The push messages may be necessary for the fulfilment of contractual obligations (e.g. technical and organisational information relevant for the use of our online offer) and will otherwise be sent, unless specifically mentioned below, on the basis of user consent. Users can change the receipt of push messages at any time using the notification settings of their respective browsers or end devices.

Analysis and performance measurement: We statistically evaluate push messages and can thus identify if and when push messages were displayed and clicked on. This information is used for the technical improvement of our push messages based on technical data or target groups and their retrieval behavior or retrieval times. This analysis also includes determining whether the push messages are opened, when they are opened and whether users interact with their content or buttons. For technical reasons, this information can be assigned to individual push message recipients. However, it is neither our intention nor, if used, that of the push message service provider to monitor individual users. Rather, the evaluations serve to identify the usage habits of our users and to adapt our push messages to them or to send different push messages according to the interests of our users.

The evaluation of the push messages and the measurement of performance are based on the consent of the users, which is given with their permission to receive the push messages. Users can object to the analysis and performance measurement by unsubscribing from the push messages. Unfortunately, it is not possible to cancel the analysis and performance measurement separately.

Contents: Information on new contents and functions

Processed data types: Usage data (e.g. websites visited, interest in content, access times).
Purposes of Processing: Provision of contractual services and customer support, Web Analytics (e.g. access statistics, recognition of returning visitors).
Legal Basis: Consent (Article 6 (1) (a) GDPR), Performance of a contract and prior requests (Article 6 (1) (b) GDPR).

Services and service providers being used:

Firebase: Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://firebase.google.com; Privacy Policy: https://policies.google.com/privacy.

Cookie-Management with Sourcepoint

We use a cookie management solution for our website apost.com in which users' consent to the use of cookies, or the procedures and providers mentioned in the cookie management solution, can be obtained, managed and revoked by the users. The declaration of consent is stored so that it does not have to be retrieved again and the consent can be proven in accordance with the legal obligation. Storage can take place server-sided and/or in a cookie (so-called opt-out cookie or with the aid of comparable technologies) in order to be able to assign the consent to a user or and/or his/her device. Subject to individual details of the providers of cookie management services, the following information applies: The duration of the storage of the consent can be up to two years. In this case, a pseudonymous user identifier is formed and stored with the date/time of consent, information on the scope of the consent (e.g. which categories of cookies and/or service providers) as well as the browser, system and used end device.

Processed data: Meta/communication data (device information, IP addresses, user ID; login status).
External disclosure and purpose:Sourcepoint Technologies, Inc, 1201 Broadway, 7th floor, New York, NY 10001, USA;
Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).
Privacy Policy: https://www.sourcepoint.com/privacy-policy/
Processing in third countries: USA; Personal Data is processed by Sourcepoint in the EU and EEA, but Personal Data may be accessed by Sourcepoint employees in the USA for the purposes of remote maintenance and support.SCC.
Data Retention: Up to two years.

PURE-subscription by contentpass

On the apost.com website, we offer the option of taking out a PUR subscription instead of consenting to the use of advertising cookies. We use the contentpass service to provide membership subscriptions and paid access.

This is an offer of Content Pass GmbH. When you take out the service, contentpass becomes your contractual partner. In order to be able to display and thus offer you this service on our website, contentpass, on our behalf, processes your IP address at the beginning of your website visit. For the registration as well as the contract processing of contentpass and the associated data processing, contentpass is the controller within the meaning of the DS-GVO. We are exclusively responsible for the processing of your IP address.

The basis for the data processing of the IP address, within the scope of our contract processing with contentpass, is our legitimate interest in offering you the opportunity to access our website free of advertising and tracking and your interest in using our website practically without advertising and tracking (Art. 6 para. 1 p. 1 lit. f) GDPR). In addition, we hereby fulfil the legal obligation to obtain legally compliant consent to data processing requiring consent (Art. 6 para. 1 lit. c) GDPR).

Please click on the following links to learn more about data protection at contentpass, to log in to your contentpass account, or to register for contentpass.

Data processed: IP address.
Data subjects: users.
External disclosure: content pass GmbH, Wolfswerder 58, 14532 Kleinmachnow, Germany.
Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Privacy policy: https://www.contentpass.net/privacy
Processing in third countries: no.
Retention of data: As part of the processing on our behalf, the IP address of the user is processed in order to display the offer of a payment model on the website. The service provider is responsible for further data processing (in particular the conclusion of contracts requiring payment).

Single sign-on authentication with Facebook

We use Facebook's single sign-on method, which allows users to register within our online service.

We are jointly responsible (so-called "joint-controllership") with Meta Platforms Ireland Limited for the collection or receipt as part of a transmission (but not the further processing) of Event Data that Facebook collects or receives as part of a transmission for the following purposes using the Facebook single sign-on registration procedures that are implemented on our online services: a) displaying content advertising information that matches users' presumed interests; b) delivering commercial and transactional messages (e.g. b) delivering commercial and transactional messages (e.g., addressing users via Facebook Messenger); c) improving ad delivery and personalizing features and content (e.g., improving recognition of which content or advertising information is believed to be of interest to users). We have entered into a special agreement with Facebook ("Controller Addendum", https://www.facebook.com/legal/controller_addendum), which specifically addresses the security measures that Facebook must take (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to comply with the rights of data subjects (i.e., users can, for example, submit information access or deletion requests directly to Facebook). Note: If Facebook provides us with measurements, analyses and reports (which are aggregated, i.e. do not contain information on individual users and are anonymous to us), then this processing is not carried out within the scope of joint responsibility, but on the basis of a DPA ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing), the "Data Security Conditions" (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the USA, on the basis of Standard Contractual Clauses ("Facebook EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of users (in particular to access to information, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook.

Data processed: Inventory data (name, e-mail address, password (only processed on Facebook and cannot be viewed by us), user ID, user handle);
External disclosure and purpose: Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, Europe: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Privacy Policy: https://www.facebook.com/policy.php.
Processing in third countries: USA.
Retention of data: Information stored with us is not automatically matched with the user account on Facebook; for example, if the user's e-mail address changes, users must manually change it in your user account with us. The link to our user account can be removed within Facebook's settings; if users wish to delete their data with us, they must cancel their registration with us.

Answering Inquiries and Communication via Freshdesk

We use Freshdesk Customer Support solutions for communication with our users.

Data processed: Inventory data, contact details, usage data, content data, metadata.
Special categories of personal data: none.
Legal basis: Art. 6 (1) lit.f GDPR.
Data subjects: Users, Employees
Purpose of processing: Answering users' contact requests and keeping track of ongoing communications and evaluating communications in order to improve their own performance and communication with users in the future.
Special security measures: DPA.
Opt-Out: Opt-Out for marketing communications contained in the email or via a request to support@freshworks.com. Opt-Out for third party cookies in the cookie policy: https://www.freshworks.com/list-of-cookies
Necessity / interest in processing: Providing contractual services, answering and maintaining communications with users.
External disclosure: San Francisco, USA, 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066
Privacy Policy: https://www.freshworks.com/privacy
Processing in third countries: USA
Guarantee when processing in third countries: DPA & Standard Contractual Clauses.
Retention of data: User requests are stored by Freshdesk for as long as it is necessary to answer the request and follow-up questions, which usually means a period of 6 months after the end of communication. For the purpose of analyzing requests to improve our services or communication, we only process pseudonymous and if possible anonymous data. Furthermore, the statutory archiving obligations shall apply.

Answering Inquiries and User Service

We process the information in the inquiries, which we receive via our contact form and other means, e.g. via e-mail, in order to answer the inquiries. For these purposes, the inquiries may be stored in our Customer Relationship Management (CRM) system or in similar procedures that serve us to manage inquiries. For customer relationship management purposes (CRM) we use so-called CRM software. With the help of the software we can answer the inquiries more effectively and faster.

Data processed: Inventory data, contact data, contract data, payment data, usage data, metadata.
Data subjects: users, prospective users, business partners, website visitors.
Purpose of processing: Answering inquiries.
Legal basis: Art. 6 (1) b./f. GDPR.
Necessity / interest in processing: Necessary to answer queries, optimization, user-friendliness, business interests.
External disclosure and purpose: DUSOFFICE, owner Sebastian Schmidt Grafenberger Allee 277 -287 40237 Düsseldorf (call answering service).
Special security measures: Data Processing Agreement with DUSOFFICE.
Privacy Policy DUSOFFICE: https://www.telefonservice-dusoffice.de/dusoffice/datenschutz.html.
Retention of data: We delete the requests if they are no longer required. We review the requirement every two years; requests from users who have a user account are stored permanently and are linked to the user account details for deletion. In the case of statutory archiving obligations, the erasure takes place after their expiry (end of commercial law (6 years) and tax law (10 years) storage obligation).

Administration, Financial Accounting, Office Organization, Archiving

We process data within the framework of administrative tasks as well as the organization of our company, financial accounting and compliance with legal obligations, such as archiving.

Data processed: Data that we process in the course of our Online Services.
Special categories of personal data: none.
Legal basis: Art. 6 para. 1 lit. c. GDPR, Art. 6 para. 1 lit. f. GDPR.
Data subjects: users, prospective users, business partners, website visitors.
Purpose of processing: administration, financial accounting, office organization, archiving.
Necessity / interest in processing: The processing is necessary to maintain our business and our services.
-External disclosure and purpose: financial administration, tax consultants, other fee agencies, payment service providers to carry out contractual or legal payment transactions.
External disclosure and purpose: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland USA for efficient and location-independent administration and communication; financial administration, tax consultants, auditors, other fee offices, payment service providers for contractual or legal payment transactions.
Privacy policy Google: https://policies.google.com/privacy.
Processing in third countries: USA, as far as Google services are used.
Retention of data: The erasure of the data with regard to contractual services and contractual communication corresponds to the information provided in these processing activities.

Business and market research

In order to operate our business economically and to identify market trends and user requirements, we analyse the data available to us on business transactions, contracts, enquiries, etc., in order to ensure that we are able to offer our users the best possible service. For this purpose, we combine the personal data of users from registrations and orders with the behaviour-related data of users.

In the context of the economic evaluation we bring together the data of the users independently of the used devices (e.g. if users use our online offer on a mobile or on a stationary device).

Data processed: Inventory data, contact data, contract data, payment data, usage data and metadata, e.g. activity data from e-mails via our online channels, e.g. data on the page accessed, the page history, the device used, the approximate location and data for pseudonymous identification of the user profile).
Legal basis: Art. 6 (1) f. GDPR.
Data subjects: users, prospective users, business partners, visitors and users of the online offer.
Purpose of processing: business analysis, marketing, advertising, market research.
Type, scope and mode of operation of the processing: profiling, online behavioural advertising, first party cookies.
Necessity / interest in processing: Increased user-friendliness, optimization of the service, business efficiency.
Retention of data: If a user account was created, with its cancellation, otherwise after two years from conclusion of contract. For the rest, macroeconomic analyses and general trend determinations are prepared anonymously wherever possible.

Typeform

We use Typeform support and bug reporting forms which can be filled by our end users.

Data processed: Inventory data, contract details, content data, contract data, usage data, metadata.
Legal basis: Article 6 (1) (b) - Users / Article 6 (1) (f) - Users interested in the services
Data subjects: End Users.
Purpose of processing: Provision of a service channel for users and those interested in our services.
Special security measures: DPA.
Opt-Out: Instructions how to disable cookies in the Cookie Policy: https://admin.typeform.com/to/dwk6gt
Necessity / interest in processing: Performance of contract, legitimate business interests.
External disclosure: Typeform SL, Carrer Bac de Roda, 163, local, 08018 - Barcelona (Spain)
Privacy Policy: https://admin.typeform.com/to/dwk6gt
Processing in third countries: US
Retention of data: - For performing the contract, for as long as the contractual relationship is in force and during the five years following the end of said relationship;

- For as long as the processing is covered by the user consent;

- For as long as necessary to comply with legal obligations of Typeform;

- For as long as the processing is strictly necessary to pursue the legitimate interests and achieve the goals pertaining to such legitimate interests as set out it Typeform Privacy Policy.

Data protection information for Job Candidates

This section informs job candidates about the processing of their data during the application process.

Application process

Candidates can send us their applications via e-mail. Please note, however, that e-mails are generally not sent in encrypted form and that the candidates themselves must ensure that they are encrypted. We can therefore accept no responsibility for the transmission of the application between the sender and the reception on our server.
Instead of applying by e-mail, candidates can still send us their application by post.

Data processed: Inventory data, contact data, content data (content of application folder, correspondence, internal comments).
Special categories of personal data: Yes, if required for the application procedure or submitted by candidates (e.g. health data).
Legal basis: Art. 6 para. 1 lit. b. GDPR, § 26 Federal German Data Protection Act (BDSG).
Data subjects: Applicants
Purpose of processing: application procedure, selection of applicants.
Special security measures: Restriction of access to application documents to jobs that are involved in the application process; Encrypted transmission option.
Necessity / interest in processing: Precondition for the selection of suitable candidates.
Retention of data: The data provided by the candidates may be further processed by us for employment purposes in the event of a successful application; otherwise, if the application for a job offer is not successful, the candidates' data will be deleted or made anonymous. Candidates' data will also be deleted if an application is withdrawn, which the applicants are entitled to do at any time. Candidates will be deleted after a period of six months, subject to justified revocation, so that we can answer any follow-up questions to the application and meet our obligations under the General Equal Treatment Act (AGG).

Campusjäger by Workwise (Application process)

We use the services of the recruitment platform Campusjäger for the purposes of searching for job candidates, making and contacting them, as well as forwarding application documents and selecting job applicants.

Data processed: Personal information (including, but not limited to, name, identification number(s), photograph(s), address, birth date, gender, marital status, number of children, emergency contact, telephone number(s), academic and professional qualifications, CV/resume, employment history, language proficiency, etc.).
Special categories of personal data: Health status, disability information, data on religious affiliation.
Legal basis: Art. 6 para. 1 lit. b. GDPR, § 26 Federal German Data Protection Act (BDSG).
Data subjects: job candidates.
Special security measures: SSL encryption for sensitive data.
Necessity / interest in processing: Business interests, HR-Efficiency, performance of the services pursuant to the contract
External disclosure: Campusjäger GmbH, Leopoldstr. 7c, 76133 Karlsruhe, Germany.
Privacy Policy: https://www.workwise.io/datenschutz
Processing in third countries: None.
Retention of data: The duration of data storage is determined by the HR processes within which the data is processed. User may withdraw their consent to processing of their personal information or request a deletion or their personal information at any time.

Workable (Application process)

To conduct the online application process, we use the services of third party provider Workable Software Limited, 21a Kingly Street, 2nd Floor, London, W1B 5QA, UK.

The use of Workable is based on our legitimate interests as well as the interests of the candidates in the implementation of a fast and effective application process (within the meaning of Art. 6 para. 1 lit f. GDPR
"Workable" is based in the European Union. Candidate data will be processed on a server of Amazon Web Services (AWS), Inc, 410 Terry Avenue North, Seattle, Washington 98109-5210, USA in the USA. In addition, Workable's US subsidiary in the USA may be commissioned to process the data. To ensure compliance with EU data protection standards, Workable UK has concluded Data Processing Agreements with AWS and the US subsidiary based on the EU Commission's Model contracts for the transfer of personal data to third countries - Standard Contractual Clauses for Data transfers between EU and non-EU countries (further information: https://ec.europa.eu/info/strategy/justice-and-fundamental-rights/data-protection_en).
Workable's privacy policy: https://www.workable.com/privacy.

Application Process - Talent Pool

As part of the application process, we offer job candidates the opportunity to be included in our talent pool for a period of two years. In this case, the following information is added to the general information on the application procedure:

Candidates are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process and they can revoke this consent at any time for the future and declare their objection within the meaning of Art. 21 GDPR.

Legal basis: Consent Article 6 (1) a. and Art. 7 GDPR, § 26 (2) Federal German Data Protection Act (BDSG).
Purpose of processing: Reservation of candidates for future application processes.
Special security measures: The application documents in the talent pool will only be processed within the scope of future job vacancies and the search for employees.
Retention of data: After the deadline of two years.

Wellfound (formerly AngelList (angel.co))

WellfoundAngelList offers a talent platform which we use for recruiting purposes. We also use their integration with Deel and Workable.

Data processed: Data processed: Personal information (including, but not limited to, name, identification number(s), photograph(s), address, birth date, gender, marital status, number of children, emergency contact, telephone number(s), academic and professional qualifications, CV/resume, employment history, language proficiency, etc.); Information in connection with the employee’s job (including, but not limited to, title, grade, location, reporting lines, team affiliation, hire date, working hours, contract details, performance and evaluation data, employee discipline information, work history, benefits and insurance, assets assigned, training, time-off documentation, etc.).
Legal basis: Art. 6 (1)(b) GDPR, 26 BDSG-DE
Data subjects: Employees, job candidates
Purpose of processing: Recruitment.
Opt-Out: Opt-Out links & instructions how to opt out in the Privacy Policy: https://wellfound.com/privacy
Necessity / interest in processing: Performance of contract, providing the services, legitimate business interests, user consent, complying with legal or regulatory obligations
External disclosure: AngelList Holdings, LLC, 90 Gold St Fl 3, San Francisco, CA 94133, USA
Privacy Policy: https://angel.co/privacy
Processing in third countries: USA or elsewhere outside of the EU
Guarantee when processing in third countries: standard contractual clauses.
Retention of data: Personal data will be retained as long as the user account is active or it is reasonably needed for the purposes set out above, including keeping personal data after user has deactivated their account for the period of time needed for AngelList to pursue their legitimate business interests, conduct audits, comply with legal obligations, resolve disputes and enforce their agreements. Personal data may also be retained for a longer period of time if such retention is required by law.

BambooHR

We use BambooHR for keeping track of the employees’ and job candidates’ data, employee self-onboarding and other HR-related tasks.

Data processed: Employees and Job Candidates: Personal information (including, but not limited to, name, identification number(s), photograph(s), address, birth date, gender, marital status, number of children, emergency contact, telephone number(s), academic and professional qualifications, CV/resume, employment history, language proficiency, etc.); Information in connection with the employee’s job (including, but not limited to, title, grade, location, reporting lines, team affiliation, hire date, working hours, contract details, performance and evaluation data, employee discipline information, work history, benefits and insurance, assets assigned, training, time-off documentation, etc.); Payroll related information (including, but not limited to, salary and compensation information, tax and social security information, bank details, pensions, share options, bonuses, other benefits, etc.).
Referees / References: Contact details: address, telephone number (fixed and mobile), email address, fax number, emergency contact information.
Special categories of personal data: Health status, disability information, data on religious affiliation.
Legal basis: Art. 6 (I) lit. f GDPR, Art. 28 (III) S. 1 GDPR
Data subjects: Employees, job candidates, referees / references.
Type, scope and mode of operation of the processing: Session cookies, permanent cookies, internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data, third party cookies, web-beacons
Special security measures: SSL encryption for sensitive data.
Necessity / interest in processing: Business interests, HR-Efficiency, performance of the services pursuant to the contract
External disclosure: BambooHR, 335 South 560 West Lindon, UT 84042-1911, USA
Privacy Policy: https://www.bamboohr.com/privacy.php
Processing in third countries: USA
Retention of data: The duration of data storage is determined by the HR processes within which the data is processed. User may withdraw their consent to processing of their personal information or request a deletion or their personal information at any time by making the change on the member information page, though BambooHR contact us page, by telephone or by postal mail. The said requests are processed promptly and in any event within 30 days of user call or receipt of user request.

Deel

We use an international recruitment and payroll service offered by Deel.

Data processed: Inventory data, contact details, usage data, metadata, payment and transaction data, billing information
Special categories of personal data: none.
Legal basis: Art 6(1)(b), § 26 (1)BDSG, 6(1)(f) general Usage of the platform on the basis of legitimate business interests (recruitment/freelancer).
Data subjects: Employees, freelancers
Purpose of processing: Providing contractual services, making and managing payments, managing fees and charges due on user accounts, collecting and recovering money, developing & improving products and services, web analytics, marketing and communications (including those related to events and surveys), crime prevention and managing risks, business management
Type, scope and mode of operation of the processing: Cookies, third party cookies, web beacons, tracking, cross-device tracing, social plugins & embedded third party features (Facebook, Twitter, Pinterest, LinkedIn, YouTube, Intercom, Logrocket, Sentry, Calendly, Paypal, Braintree, Stripe, Heap), marketing, web analytics (Google Analytics)
Special security measures: All data of the Deel platform is stored in the Amazon Web Services (AWS) data center in Ireland (EU). Deel will take all reasonable legal action to challenge and suspend disclosure orders from authorities and will produce only the minimum data necessary for lawful compliance (So far, Deel never had any request from authorities to disclose data) - See also Appendix 2: Technical and organizational measures in the DPA.
Opt-Out: Opt-out instructions & links in the Cookie Policy: https://www.letsdeel.com/cookie-policy
Necessity / interest in processing: Legitimate business purposes, user consent, providing contractual services
External disclosure: Deel Inc., 650 2nd Street San Francisco, CA 94107 USA
Privacy Policy: https://www.letsdeel.com/privacy
Processing in third countries: USA
Guarantee when processing in third countries: standard contractual clauses.
Retention of data: Personal data is generally kept for the duration of services and then promptly deleted by Deel. Certain categories of personal information can be kept for up to 10 years after you cease to use the service, for the following reasons: to respond to a question or complaint, to study customer data as a part of own research, to comply with legal rules (e.g. Money Laundering regulation). In some cases, personal data can be kept for longer than 10 years if Deel is unable to delete it for legal, regulatory or technical reasons.

Webserver and Security

Our services are operated on web servers. In the following section we will inform you about their use and data processed during the operation of our servers.

Amazon Web Services

We use Amazon Web Services including infrastructure and platform services, computing capacity, storage and database services, telecommunications services, security services, technical maintenance services, and cloud hosting services.

Data processed: Inventory data, contact data, content data, contract data, usage data, meta/communication data, traffic data.
Special categories of personal data: none.
Legal basis: Art. 6 (I) lit. f GDPR, Art. 28 (III) S. 1 GDPR.
Data subjects: users, prospects, business partners, employees, website visitors.
Necessity / interest in processing: Use of an efficient and secure server infrastructure.
External disclosure: See https://aws.amazon.com/compliance/third-party-access
Privacy Policy: https://aws.amazon.com/privacy, :https://www.amazon.com/gp/help/customer/display.html?nodeId=468496
Processing in third countries: USA
Retention of data: The data on the server is processed for the purposes of our contract-related services. Please refer to the information on the key area of our services.

Hetzner

Hetzner is an Internet hosting company and data center operator. We use Hetzner’s infrastructure and platform services, computing capacity, storage and database services, security services, technical maintenance services

Data processed: Inventory data, contact data, content data, contract data, usage data, meta/communication data, traffic data.
Legal basis: Art. 6 (1) lit. f GDPR, Art. 28 (3) S. 1 GDPR.
Data subjects: Customers, prospects, business partners, employees, website visitors.
Purpose of processing: Webhosting, E-Mail-Services, Security.
Necessity / interest in processing: Security, business interests)
External disclosure: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Deutschland.
Privacy Policy: https://www.hetzner.de/rechtliches/datenschutz
Retention of data: Determined by the processes within the framework of which the data is stored on the server.

Cloudflare

Cloudflare provide hosting and content delivery network, DDoS mitigation, internet security and distributed domain name server services. Our complete Project Traffic is routed through Cloudflare.

Data processed: Processed for the purpose of providing the services of Cloudflare (provision of content, transit of website and app traffic): IP address of the user, browser information, country, device type.
Legal basis: Art. 6 (I) 1 lit. f GDPR, Art. 28 (III) S. 1 GDPR
Data subjects: All users who use our online services.
Necessity / interest in processing: User-friendliness, business interests.
External disclosure: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA
Privacy Policy: https://www.cloudflare.com/privacypolicy/
Processing in third countries: USA, based on standard contractual clauses: https://www.cloudflare.com/cloudflare-customer-scc.
Retention of data: Only short intermediate storage within the scope of data caching and data delivery (5-7 days).

Godaddy

Domain name registrar and web hosting services.

Data processed: Inventory data, contact data, content data, contract data, usage data, meta/communication data, traffic data.
Special categories of personal data: none.
Legal basis: Art. 6 (I) lit. f GDPR, Art. 28 (III) S. 1 GDPR.
Data subjects: Users, prospects, business partners, employees, website visitors.
Necessity / interest in processing: Use of an efficient and secure server infrastructure.
External disclosure: GoDaddy.com LLC, 14455 North Hayden Road Suite 219 Scottsdale, AZ 85260 USA
Privacy Policy: https://www.godaddy.com/agreements/showdoc.aspx?pageid=PRIVACY&isc=gofddede06
Processing in third countries: USA
Retention of data: The data on the server is processed for the purposes of our contract-related services. Please refer to the information on the key area of our services.

Google Suite and Google Cloud

We use the Google Cloud and the Google Suite Service for the following purposes: Google Drive for document storage (marketing, sales, evaluations, accounting, personnel, contracts, finance), Google Calendar for calendar management - Google Docs, spreadsheets and presentations for online document collaboration; storage of data, websites and public documents.

Data processed: Data relating to users and employees (master data, contact data, process data, content data); usage data and metadata used by Google for security and service optimisation purposes.
Data Subjects: Employees, customers / interested parties, contractual partners, other third parties.
Type, scope and mode of operation of the processing: Permanent cookies, third party cookies, online behavioural advertising, tracking.
Legal Basis: Art. 6 (1) lit. b GDPR when relation to contractual services, Art. 6 (1) lit. f GDPR (when based on our legitimate interests concerning our administration, security and business interests), § 26 BDSG in case of Employees
Special security measures: Pseudonymization, Data Processing Agreement.
External disclosure and purpose: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy Policy: https://www.google.com/policies/privacy.
Processing in third countries: USA.
Guarantee when processing in third countries: EU Standard Contractual Clauses.
Retention of data: Determined by the processing operations during which the data is stored on the server.

MongoDB Atlas

MongoDB Atlas is a cloud-based DaaS (Data as a service) solution offered by MongoDB.

Data processed: Inventory data, contact details, content data, usage data, metadata
Legal basis: Art. 6 (I) lit. f GDPR.
Data subjects: Users.
Purpose of processing: Provision of database services.
Necessity / interest in processing: Technical efficiency and security.
External disclosure: MongoDB, Inc., 229 W 43rd Street, 5th Floor, New York, NY 10036, United States
Privacy Policy: https://www.mongodb.com/legal/privacy-policy
Processing in third countries: USA
Guarantee when processing in third countries: Standard Contractual Clauses.
Retention of data: User may request deletion of their Personal Data by MongoDB.

New Relic

New Relic provides a digital intelligence platform lets developers, ops, and tech teams measure and monitor the performance of their applications and infrastructure. We use New Relic services for server and application monitoring.

Data processed: Usage data, metadata, IP address.
Legal basis: Art. 6 (1) f. GDPR (providing interesting information to users, commercial interests)
Data subjects: Users/ Website visitors.
Purpose of processing/ Necessity / interest in processing: User-friendliness including efficient support, technical efficiency, optimization, security, legitimate business interests.
Type, scope and mode of operation of the processing: Profiling (for security reasons)
Opt-Out: https://newrelic.com/termsandconditions/cookie-policy; https://newrelic.com/termsandconditions/privacy; Personal Data Request Form” with additional options that are provided to https://newrelic.com/content/dam/new-relic/privacy/personal-data-request-form.pdf
External disclosure: New Relic, Inc., 188 Spear Street, Suite 1200, San Francisco, CA 94105, USA
Privacy Policy: https://newrelic.com/termsandconditions/privacy
Processing in third countries: USA
Guarantee when processing in third countries: DPA & Standard Contractual Clauses.
Retention of data: Only as long as storage is required. See also cookie policy: https://newrelic.com/termsandconditions/cookie-policy - some cookies are kept for 630 days and longer (including some targeting and analytics cookies). “Data Erasure” in “Personal Data Request Form”: https://newrelic.com/content/dam/new-relic/privacy/personal-data-request-form.pdf.

Raygun

Raygun provides error, crash and performance monitoring for software teams. We use Raygun as PHP error and exception handler.

Data processed: Customer information (User's first and last name, User's email address, User's IP address);
Company information: (Business contact information (company, email, phone, physical business address), Personal contact information (email, phone), Title, Position, Employer Connection data.
Special categories of personal data: none.
Legal basis: Art. 6 (1) f. GDPR (providing interesting information to users, commercial interests)
Data subjects: Prospects, customers, business partners and vendors
Employees or contact persons, customers, business partners and vendors
Employees, agents, advisors, independent contractors
authorized users (individuals authorized by data exporter to use the Raygun Products)
Purpose of processing: error, crash and performance monitoring).
Type, scope and mode of operation of the processing: Cookies
Special security measures: IP addresses are not saved anonymously currently but we are going to put in an option to disavow IP addresses as well as location details (Sydney, Australia etc) from being recorded.
Necessity / interest in processing: Providing & improving services, security.
External disclosure: Raygun Limited, L7, 59 Courtenay Place, Te Aro, Wellington, 6011, New Zealand.
Privacy Policy: https://raygun.com/privacy
Processing in third countries: New Zealand, USA
Guarantee when processing in third countries: DPA & Standard Contractual Clauses.
Retention of data: Data is kept for as long as it is necessary and then erased. An erasure can be requested individually.

SolarWinds Worldwide, LLC (Pingdom and Papertrail)

We use the services of SolarWinds (Pingdom and Papertrail) to monitor the performance of our websites and to determine how changes we make to our websites affect visitor experience.

Data processed: Content data, usage data, metadata (icluding IP-Address)
Special categories of personal data: none.
Legal basis: Art. 6 (I) f GDPR.
Data subjects: Users.
Purpose of processing/ Necessity / interest in processing: Technical efficiency and security.
Type, scope and mode of operation of the processing: Cookies, flash cookies, third party cookies, profiling, tracking, clicktracking, web analytics.
Special security measures: Data Processing Agreement.
Opt-Out: https://www.solarwinds.com/cookies.
External disclosure: Solar Winds, Inc., 7171 Southwest Parkway, Bldg 400., Austin, Texas, 78735, USA
Privacy Policy: https://www.solarwinds.com/legal/privacy
Processing in third countries: USA
Guarantee when processing in third countries: DPA & Standard Contractual Clauses.
Retention of data: Solarwinds apply a general rule of keeping personal data only for as long as required to fulfil the purposes for which it was collected. In some circumstances, the personal data might be retained for other periods of time, for instance in order to meet legal, tax and accounting requirements, or if required to do so by a legal process, legal authority, or other governmental entity having authority to make the request, for so long as required. Erasure of data upon user’s request via: https://www.solarwinds.com/legal/personal-data-request.

Sophos Managed Detection and Response

Cybersecurity service that provides threat detection, investigation, and response capabilities to quickly identify and mitigate potential security breaches.

Data processed: IP address ,Usernames and other identifiers, Network and network activity information, Other information that may be transmitted or processed in connection with the service.
Data subjects: Personnel, customers and users.
External disclosure: Sophos Limited, The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP, UK.
Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Privacy policy: https://www.sophos.com/en-us/legal/sophos-group-privacy-notice
Processing in third countries: UK, Adequacy decision.
Retention of data: Deletion, anonymisation after processing for security verification.

Embedded content and functions

In this section we inform you which contents, software or functions (briefly "contents") of other providers we embed in the context of our website on the basis of Art. 6(1)(f) GDPR (so-called "embedding"). If we ask users to give their consent to the use of the Services (e.g. in the context of a so-called cookie opt-in), the use is based on consent in accordance with Art. 6 (1) (a) GDPR.

The embedding is done to make our online offer more interesting for our users or for legal reasons, e.g. to be able to present videos or social media contributions within our online offer at all. Embedding can also be used to improve the speed or security of online content, e.g. when software elements or fonts are obtained from other sources. The processed data includes in all cases the user's usage and metadata and also the IP address necessarily transmitted to the provider for embedding the content, the data subjects include the visitors to our website. The data subject categories include the users of our website, users and interested parties. Further explanations can be found in the definitions of terms, in particular on the functions and security measures, at the end of this Privacy Policy. The data retention is determined by the data protection conditions of the providers of the embedded content.

Ex.co (former Playbuzz) content distribution

Playbuzz is a content partner with whose help we can present relevant content for the users within our online services. Playbuzz itself states that no personal user data will be stored or otherwise processed by Playbuzz itself.

Data processed: Usage data, metadata.
Type, scope and mode of operation of the processing: permanent cookies, third party cookies, tracking, interest-based marketing, profiling, remarketing.
Special protective measures: Data Processing Agreement.
Opt-Out: https://ex.co/privacy-policy/.
External disclosure: - Ex.co, Ltd, 49 W 23rd St., 6th Floor, New York, NY, 10010.
Privacy Policy: https://ex.co/privacy-policy/
Processing in third countries: USA.
Retention of data: Playbuzz stores data for as long as necessary to provide its own services. Playbuzz will store and use the data as necessary to comply with its legal obligations, resolve disputes and enforce Playbuzz's policies. The retention periods shall be determined taking into account the nature of the information collected and the purpose for which it is collected, the requirements applicable to the situation and the need to destroy obsolete, unused information at the earliest opportunity.

Facebook Features and Content

Functions and contents of the Facebook service can be integrated within our online services. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.

We are jointly responsible (so-called "joint-controllership") with Meta Platforms Ireland Limited for the collection or transmission (but not further processing) of "Event Data" that Facebook collects or receives as part of a transmission using the Facebook Social Plugins that run on our website for the following purposes: a) displaying content advertising information that matches users' presumed interests; b) delivering commercial and transactional messages (e.g. b) delivering commercial and transactional messages (e.g., addressing users via Facebook Messenger); c) improving ad delivery and personalizing features and content (e.g., improving recognition of which content or advertising information is believed to be of interest to users). We have entered into a special agreement with Facebook ("Controller Addendum", https://www.facebook.com/legal/controller_addendum), which specifically addresses the security measures that Facebook must take (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to comply with the rights of data subjects (i.e., users can, for example, submit information access or deletion requests directly to Facebook). Note: If Facebook provides us with measurements, analyses and reports (which are aggregated, i.e. do not contain information on individual users and are anonymous to us), then this processing is not carried out within the scope of joint responsibility, but on the basis of a DPA ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing/update), the "Data Security Conditions" (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the USA, on the basis of Standard Contractual Clauses ("Facebook EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of users (in particular to access to information, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook.

Data processed: Public Public profile https://www.facebook.com/help/203805466323736/ (includes your name, gender, username and user ID (account number), profile picture, cover picture and networks); usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing.
Opt-Out: https://www.facebook.com/settings?tab=ads, http://www.youronlinechoices.com/uk/your-ad-choices/ (EU), http://www.aboutads.info/choices (US).
External disclosure and purpose: Facebook Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA.
Privacy Policy: https://www.facebook.com/policy.php.
Processing in third countries: USA.
Retention of data: The data will be deleted in accordance with Facebook conditions.
Single sign-on authentication with Facebook
We use Facebook's single sign-on method, which allows users to register within our online service.
Data processed: Inventory data (name, e-mail address, password (only processed on Facebook and cannot be viewed by us), user ID, user handle);
External disclosure and purpose: Facebook Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA.
Privacy Policy: https://www.facebook.com/policy.php.
Processing in third countries: USA.
Retention of data: The data will be deleted in accordance with Facebook's conditions.

Giphy features and content

Functions and contents of the Giphy service can be integrated within our online services. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.

Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing
External disclosure and purpose: Giphy, Inc., 416 West 13th Street, Suite 207 New York, NY 10014.
Privacy Policy: https://support.giphy.com/hc/en-us/articles/360032872931.
Processing in third countries: USA.
Retention of data: The data will be deleted in accordance with Giphy’s policies. Generally, a storage period for Cookie-Data of up to 390 days can be assumed.

Google Services and Content

We use the following services and contents of the provider Google: YouTube - Videos; Google Maps - Maps; Google Fonts - Fonts; Google - Recaptcha.

Data processed: Usage data, metadata.
Type, scope and mode of operation of the processing: Permanent cookies, third party cookies, online behavioural advertising, tracking.
Special security measures: Pseudonymization, opt-out.
Opt-Out: http://tools.google.com/dlpage/gaoptout?hl=de, https://adssettings.google.com/.
External disclosure and purpose: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy Policy: https://www.google.com/policies/privacy.
Processing in third countries: USA.
Retention of data: The data will be deleted in accordance with Google's conditions.

Imgur features and content

Functions and contents of the Imgur service can be integrated within our online services. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.

Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing
External disclosure and purpose: Imgur, Inc., 600 California Street Fl. 11, San Francisco, California, 94108, USA.
Privacy Policy: https://imgur.com/privacy
Processing in third countries: USA.
Retention of data: The data will be deleted in accordance with Imgur’s policies. Generally, a storage period for Cookie-Data of up to 390 days can be assumed.

Instagram Features and Contents

Functions and contents of the Instagram service can be integrated within our online offer. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.

We are jointly responsible (so-called "joint-controllership") with Meta Platforms Ireland Limited for the collection or transmission (but not further processing) of "Event Data" that Facebook collects or receives as part of a transmission using Instagram functions that run on our website for the following purposes: a) displaying content advertising information that matches users' presumed interests; b) delivering commercial and transactional messages (e.g. b) delivering commercial and transactional messages (e.g., addressing users via Facebook Messenger); c) improving ad delivery and personalizing features and content (e.g., improving recognition of which content or advertising information is believed to be of interest to users). We have entered into a special agreement with Facebook ("Controller Addendum", https://www.facebook.com/legal/controller_addendum), which specifically addresses the security measures that Facebook must take (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to comply with the rights of data subjects (i.e., users can, for example, submit information access or deletion requests directly to Facebook). Note: If Facebook provides us with measurements, analyses and reports (which are aggregated, i.e. do not contain information on individual users and are anonymous to us), then this processing is not carried out within the scope of joint responsibility, but on the basis of a DPA ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing/update), the "Data Security Conditions" (https://www.facebook.com/legal/terms/data_security_term ) and, with regard to processing in the USA, on the basis of Standard Contractual Clauses ("Facebook EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of users (in particular to access to information, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook.

Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing.
External disclosure and purpose: Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA.
Privacy Policy: https://help.instagram.com/519522125107875
Processing in third countries: USA
Retention of data: The data will be deleted in accordance with Instagram's policies.

Pinterest features and content

Functions and contents of the Pinterest service can be integrated within our online offer. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.

Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing
External disclosure and purpose: Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA, or, if you are based in the EU or in Switzerland, Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.
Privacy Policy: https://about.pinterest.com/de/privacy-policy.
Processing in third countries: USA.
Retention of data: The data will be deleted in accordance with Pinterest’s policies.

Reddit features and content

Functions and contents of the Reddit service can be integrated within our online offer. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.

Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing
External disclosure and purpose: Reddit, Inc., 548 Market Street #16093, San Francisco, California 94104, USA.
Privacy Policy: https://www.redditinc.com/policies/privacy-policy-january-10-2020.
Processing in third countries: USA.
Retention of data: The data will be deleted in accordance with Reddit’s policies. Generally, a storage period for Cookie-Data of up to 390 days can be assumed.

Rumble features and content

Functions and contents of the Rumble service can be integrated within our online services. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.

Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing
External disclosure and purpose: Rumble Inc., 218 Adelaide Street West, Suite 400 Toronto, Ontario, M5H 1W7 Canada.
Privacy Policy: https://rumble.com/s/privacy.
Processing in third countries: Canada.
Guarantee when processing in third countries: Canada, Recognised level of data protection.
Retention of data: The data will be deleted in accordance with Rumble’s policies. Generally, a storage period for Cookie-Data of up to 390 days can be assumed.

TikTok features and content

Functions and contents of the Tiktok service can be integrated within our online services. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.

Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing
External disclosure and purpose: musical.ly Inc., 10351 Santa Monica Blvd #310, Los Angeles, CA 90025 USA.
Privacy Policy: https://www.tiktok.com/de/privacy-policy.
Processing in third countries: USA.
Retention of data: The data will be deleted in accordance with Tiktok’s policies. Generally, a storage period for Cookie-Data of up to 390 days can be assumed.

Twitter features and content

Functions and contents of the Twitter service can be integrated within our online services. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.

Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
Type, scope and functioning of processing: social plug-ins, permanent cookies, third party cookies, interest-based marketing, tracking, remarketing.
Opt-Out: https://twitter.com/personalization.
Disclosure external: Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
Privacy Policy: https://twitter.com/de/privacy.
Processing in third countries: USA.
Deletion of data: The data will be deleted in accordance with Twitter’s policies.

video intelligence video player

Video player embedded in our web pages.

Data processed: Usage Data, Meta Data (IP-Address); the personal data processed by vi (cookie id, ip address, device id, geo-location) are used to identify ad campaigns eligible for delivery and to prove the user with the best user experience possible; furthermore, the IP Address is processed to determine Geographic Location; the IP Address is processed for a short period of 24 hours only when the video player registers different events such as: player loaded, ad started, content started etc.
Legal basis: Art. 6 (I) lit. f GDPR..
Data subjects: Website visitors.
Purpose of processing: Embedding of a Video Player, playing video content in user’s browser.
Type, scope and mode of operation of the processing: third-party-cookies.
Opt-Out: https://www.vi.ai/gdpr/.
Necessity / interest in processing: improving user experience, business Interests.
External disclosure: video intelligence AG, Muhlebachstr. 70, 8008 Zurich, Switzerland.
Privacy Policy: https://www.vi.ai/privacy-policy/.
Processing in third countries: Switzerland.
Guarantee when processing in third countries: Asserted data protection level..
Retention of data: The personal data (IP-Address) is aggregated after 24h to only summarize these events for our webpage, and IP address gets deleted from the systems.

Sharing graphics with Snapchat

As part of our services, we offer users the opportunity to share graphics generated by us via the Snapchat platform. For these purposes we ask for the first name of the users, which is then integrated into the generated graphic. The graphic is stored on our server without personal reference, i.e. without IP addresses or other individualizing features (except for the first name, which itself does not allow identification). For the processing of the data by Snapchat, we refer to the data protection regulations of the provider.

External disclosure: Snap Inc, 3000 31st Street, Santa Monica, California 90405, USA.
Privacy policy: https://www.snap.com/de-DE/privacy/privacy-policy.
Processing in third countries: USA.
Guarantee for processing in third countries: https://businesshelp.snapchat.com/en-US/article/standard-contractual-clauses.

WhatsApp features and content

Within our online services, functions and contents of the WhatsApp-Messenger can be incorporated. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.

Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing.
External disclosure and purpose: WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Privacy Policy: https://www.whatsapp.com/legal.
Processing in third countries: USA.
Retention of data: The data will be deleted in accordance with WhatsApp's policy.

External online profiles

In this area you will find information about our data processing in the context of operating external online activities, e.g. in social media.

Online Presences in Social Media

We maintain online presences within social networks and platforms in order to communicate with the customers, prospective customers and users active there and to be able to inform them about our services there.

We would like to point out that data of users outside the European Union and the Switzerland may be processed. This can pose risks for users because, for example, the enforcement of users' rights could be made more difficult. Furthermore, user data is usually processed for market research and advertising purposes. Thus, for example, user profiles can be created from the user behaviour and the resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements inside and outside the platforms that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the user's computer, in which the user's usage behaviour and interests are stored. Furthermore, data can also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to these).

The processing of users' personal data is based on our legitimate interests in effective user information and communication with users. If the users are asked by the respective providers for a consent to the data processing (i.e. declare their consent e.g. by ticking a checkbox or confirming a button), the legal basis of the processing is a consent.

For a detailed description of the respective processing and the possibilities of objection (opt-out), we refer to the information provided by the providers linked below.

Also in the case of requests for information and the assertion of user rights, we point out that these can be asserted most effectively with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. If you still need help, then please contact us.

Social networks/platforms that might be used by us: Facebook, Instagram, LinkedIn, Pinterest, Twitter, Xing, YouTube.
Data processed: Inventory data, contact data, content data, usage data, metadata.
Special categories of personal data: In principle, no, except as provided voluntarily by users.
Legal basis:Art. 6 (1) f. GDPR
Data subjects: Users of social media networks/ platforms (this can include users and prospective users).
Purpose of processing: Information and communication.
Type, scope and mode of operation of the processing: By providers of the respective platforms as a general rule: permanent cookies, tracking, targeting, remarketing, online behavioural advertising.
Necessity / interest in processing: Expectations of users active on the platforms, business interests.
External disclosure and purpose: To the social networks/platforms.
Processing in third countries: USA.
Retention of data: The deletion policies of the respective networks/ platforms apply.
Links to the information of the respective platforms:

Facebook (Facebook Inc, 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are based in the EU or in Switzerland, Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) - Privacy policy: https://www.facebook.com/about/privacy/, Opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com.
Google/ YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – Privacy policy: https://policies.google.com/privacy, Opt-out: https://adssettings.google.com/authenticated.
Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – Privacy policy/ Opt-Out: http://instagram.com/about/legal/privacy/.
Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) - Privacy policy: https://twitter.com/privacy, Opt-out: https://twitter.com/personalization.
LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) - Privacy policy https://www.linkedin.com/legal/privacy-policy , Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA, or, if you are based in the EU or in Switzerland, Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland. Datenschutzerklärung, Opt-Out: https://about.pinterest.com/de/privacy-policy.
Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Deutschland) - Privacy policy/ Opt-out: https://privacy.xing.com/de/datenschutzerklaerung.

Organization and Marketing

In this section you will find information on data processing carried out by us for the purpose of optimising our marketing and market research activities, as well as managing our ventures.

ADYOULIKE

ADYOULIKE is a technology partner with whom we manage the real-time display of ads on our online services.

Data processed: Usage data, Metadata, ADYOULIKE does not use or store IP-addressess for advertising targeting purposes ( In line with industry best practices, ADYOULIKE does use IP addresses for fraud detection purposes. The goal is to identify situations that can be associated with robots as a large volume of clicks in a limited time; or to extract geographic information.)
Special categories of personal data: none.
Legal basis: Art. 6 (I) lit. f GDPR.
Data subjects: User/ website visitors.
Purpose of processing: Realtime bidding, Ads Display.
Type, scope and mode of operation of the processing:permanent cookies, third party cookies, tracking, conversion measurement, interest based marketing, profiling, cross-device-tracking.
Special security measures: IP-Masking, Data Processing Agreement, Opt-Out.
Opt-Out: https://www.adyoulike.com/privacy_policy.php.
External disclosure: ADYOULIKE, 37- 39 rue Boissière, Paris (75116), France.
Privacy Policy: https://www.adyoulike.com/privacy_policy.php.
Retention of data: The collected browsing data is kept for a maximum of thirteen months (13 months) after the date of collection. The cookies expire three months after their last update.

Amazon Publisher Services

With the help of Amazon we market advertising material and advertising spaces within our online services.

Data processed: Usage data and metadata (including IP-Adresses: Full IP address, which is used for fraud detection and traffic quality, and is sent to approved third parties in accordance with Amazon’s Privacy Policy. For all other internal uses related to the serving of interest-based ads, the IP address is truncated · A pseudonymized identifier. In web, this is the Cookie ID, which is used by Amazon advertising systems for a variety of purposes including 1/ to recognize user pseudonymously, 2/ to maintain opt out status, 3/ for fraud detection and traffic quality, 4/ for targeting, and 5/ for frequency capping.)
Special categories of personal data: none.
Legal basis: Art. 6 (I) lit.a GDPR.
Data subjects: User/ website visitors.
Purpose of processing: Marketing of commercial space/areas in online-services
Type, scope and mode of operation of the processing:permanent cookies, third party cookies, tracking, conversion measurement, interest based marketing, profiling.
Special security measures: IP-Masking, Opt-Out, According to Amazon, the data is mainly processed on servers in local areas of users, i.e. for European users in the European Union.
Opt-Out: https://www.amazon.com/gp/help/customer/display.html?nodeId=468496.
External disclosure: Amazon EU S.à r.l. (Société à responsabilité limitée), 38 avenue John F. Kennedy, L-1855 Luxemburg.
Privacy Policy: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010.
Processing in third countries: USA

Appnexus

Appnexus is a technology partner with whom we manage the real-time display of ads on our online services.

Data processed: Usage data, Metadata.
Special categories of personal data: none.
Legal basis: Art. 6 (I) lit. f GDPR.
Data subjects: User/ website visitors.
Purpose of processing: Realtime bidding, Ads Display.
Type, scope and mode of operation of the processing:permanent cookies, third party cookies, tracking, conversion measurement, interest based marketing, profiling, cross-device-tracking.
Special security measures: IP-Masking, Data Processing Agreement, Opt-Out.
Opt-Out: https://www.appnexus.com/en/company/platform-privacy-policy#choices.
External disclosure: AppNexus, 28 West 23rd Street, 4th Fl, New York, New York 10010, USA.
Privacy Policy: https://www.appnexus.com/en/company/platform-privacy-policy.
Processing in third countries: USA
Retention of data: The pseudonymous data is usually deleted for 30-90 days, but can be stored for up to 18 months until it is aggregated and thus made anonymous.

Bitly

Bitly is a URL shortening service and a link management platform.

Data processed: usage data, metadata; Bitly Link Metrics is collected when the end user interacts with a Bitly link, and could be shared with the Bitly customers.
Legal basis: Article 6 (1) (f) GDPR.
Data subjects: Users.
Purpose of processing: Providing information about services and the account, web analytics and research, analyzing trends.personalizing services and developing new products and services
Type, scope and mode of operation of the processing: Cookies, third party cookies, tracking, demographic data, web analytics, online behavioral advertising, web beacons, cross-device tracking
Opt-Out: Opt-out links in the Privacy Policy:
https://bitly.com/pages/privacy
Necessity / interest in processing: Performance of the services pursuant to the contract, legitimate business interests, user friendliness of links.
External disclosure: Bitly, Inc., 139 Fifth Avenue, 5th Floor, New York, NY 10010, United States
Privacy Policy: https://bitly.com/pages/privacy
Processing in third countries: US
Retention of data: Bitly retains the personal information they receive for as long as the customer uses their Services or as necessary to fulfill the purpose(s) for which it was collected, provide Bitly Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.

ContractHero

We use contract management software provided by ContractHero.

Data processed: Inventory data, contact details, content data, usage data, metadata, payment information
Special categories of personal data: Special categories of personal data are processed only to the extent that they may form part of contracts (e.g. job-related health information).
Legal basis: § 26 BDSG, Article 6(1)b GDPR.
Data subjects: Employees, freelancers
Purpose of processing: Transparent and secure management of contracts.
Necessity / interest in processing: Performance of contract, legitimate business interests, user consent
External disclosure: ContractHero GmbH, Kiautschoustraße 14, 13353 Berlin, Deutschland
Privacy Policy: https://www.contracthero.de/datenschutzerklaerung
Processing in third countries: n/a.
Retention of data: The retention period depends on the general retention period of the respective contracts.

DocuSign

DocuSign provides a digital transaction management platform to facilitate digital transactions that include the signing process of contractual documents and other documents.

Data processed: Inventory data, Contact data of the contractual partners and their employees, Contract contents
Special categories of personal data: none
Legal basis: Art. 6 (1) b GDPR.
Data subjects: Freelancers, Contract partners. + Employees
Purpose of processing: We are using DocuSign to manage electronic agreements with our freelancers.
Opt-Out: Opt-out links in the Privacy Policy: https://www.docusign.com/company/privacy-policy
Detailed information about cookies and other technologies, as well as opt-out links, in the Cookie Notice: https://www.docusign.com/company/cookie-policy
External disclosure: DocuSign, Inc., 221 Main Street Suite 1000 San Francisco, CA 94105 United States; DocuSign Germany GmbH, Neue Rothofstrasse 13-19, 60313 Frankfurt, Deutschland
Privacy Policy: https://www.docusign.com/company/privacy-policy
Processing in third countries: USA
Guarantee when processing in third countries: Binding Corporate Rules (both as Data Controller and as Data Processor):
https://www.docusign.com/trust/privacy/bcrc-csb-code
https://www.docusign.com/trust/privacy/bcrp-privacy-code
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=613841
Retention of data: DocuSign will keep your personal information for no longer than necessary for the purposes for which it is processed.

Easycompliance

Easycompliance is utilized for conducting a matching process that involves comparing the names of individuals and businesses against various sanctions lists, including but not limited to the European Union and/or Reguvis (Haddex sanctions lists) and/or OFAC (US-SDN / NONSDN) and/or info4c's PEPDESK database. The purpose of this process is to identify any potential matches and ensure compliance with relevant regulations.

Data processed: First and last names of persons, names of companies / organizations, Reference number, (e.g. customer number, supplier number).First and last names of persons, names of companies / organizations, Reference number, (e.g. customer number, supplier number).
Special categories of personal data: none
Legal basis: Art. 6 (1) f GDPR.
Data subjects: Customers and/or suppliers and/or employees and/or interested parties.
Purpose of processing: Carrying out a matching procedure for the purpose of matching names of persons and companies with lists of sanctions lists (in particular the European Union and/or Reguvis (Haddex sanctions lists) and/or OFAC (US-SDN / NONSDN) and/or info4c's PEPDESK database.
External disclosure: Siemssen Consulting GmbH, Stresemannstraße 46, 27570 Bremerhaven, Germany.
Privacy Policy: https://www.easycompliance.de/datenschutz/.
Processing in third countries: Easycomplience uses the following company for the Domain Name System (DNS), as Content Delivery Network (CDN), proxy, (DNS-)firewall and for further cyber security services: Cloudflare, Inc. 101 Townsend Street San Francisco, CA 94107 / USA Cloudflare Inc. has no access to the contractor's data processing facilities. The Contractor uses the following company for 1st, 2nd and 3rd level support and electronic contact (SaaS ticket system) between the Contractor and the Client. Zendesk Ltd. 1019 Market Street San Francisco, CA 94103 / USA. The legal basis for the third country transfer is regulated by EU standard contractual clauses, Art. 46 para. 2 lit c. GDPR.
Retention of data: As long as required for resolution/execution of contracts/holding for the future.

Harvest (Iridesco, LLC)

We are using a time tracking tool provided by Harvest (Iridesco, LLC).

Data processed:Inventory data concerning freelancers, metadata and usage data as well as content data concerning the types of activities, time spent and analyses based on them.
Legal basis:Article 6 (1)(b) GDPR.
Data subjects:Freelancers + Employees
Purpose of processing: Harvest is used to track the time of freelancers. The purpose is to track working times and identify any bottlenecks. Thus, for example, it can be determined whether structural weaknesses exist at the client's or the freelancers', as well as how these can be addressed as optimally as possible for both parties. The use takes place via an integration in the project management software Trello. Every freelancer can use Trello to view an overview of activities and times.
External disclosure: Iridesco LLC, d/b/a Harvest, 16 W 22nd St, Fl 8, New York, NY 10010, United States
Privacy Policy: https://www.getharvest.com/privacy-policy
Processing in third countries: USA
Retention of data: The data is stored as long as it is necessary for order processing and storage for commercial and tax reasons or to deal with legal claims. This is usually the time of cooperation and another 4 years thereafter as well as up to 10 years for legal archiving purposes.

Hootsuite

Hootsuite is a social media management platform that offers a number of integrating solutions for measuring & benchmarking, performance optimization, visualization & analyse, creating and publishing content and nurturing communities.

Data processed: User Generated Content (such as messages, posts, comments, pages, profiles, feeds or communications on social media sites / networks); Contact details (such as name, email address, telephone number); additional individual information (such as age, gender, employer, profession, geographic location, education information or other content); Communications, data, other information or content not described above that is sent by or received through Hootsuite Services.
Special categories of personal data: none.
Legal basis: Art. 6 (1) lit. f GDPR, Art. 28 (3) S. 1 GDPR.
Data subjects: Employees, business partners and their employees, users of social networks and persons whose data is processed by social networks, messages, feeds which are transmitted by us to Hootsuite via inputs, interfaces or otherwise for processing on behalf.
Type, scope and mode of operation of the processing: Cookies, tracking, web beacons and software tokens, remarketing/retargeting, third party cookies, web analytics (including Google Analytics: universal analytics, cross-device-tracking, third party cookies, Google Display Advertising)
Necessity / interest in processing: Efficiency, business interests.,
External disclosure: HootSuite Media Inc., 5 East 8th Avenue. Vancouver, V5T 1R6, Canada.
Privacy Policy: https://hootsuite.com/legal/privacy
Processing in third countries: Canada, USA
Guarantee when processing in third countries: DPA/Standard Contractual Clauses, https://www.hootsuite.com/en-hk/legal/data-processing-addendum
Retention of data: The deletion periods are determined according to the deletion periods for processing communications and customer data; in other respects, deletion takes place if the data is not required and no archiving obligations exist, which is regularly checked every two years or on an ongoing basis. Please note that certain Personal Information may need to be retained by Hootsuite for a period of time following cancellation of your account where this is necessary for our legitimate business purposes or required or authorized by applicable law.

Taboola

Taboola develops and markets service for online content publishers and advertisers that recommends digital content to website users. We use Taboola Content Discovery Platform as a cross-promotion tool.

Data processed: Inventory data, contact details, content data, payment information, usage data-
Special categories of personal data: none.
Legal basis: Art. 6 (1) lit. f. GDPR.
Data subjects: Please_specify_the_relevant_categories_of_data_subjects.
Type, scope and mode of operation of the processing: Cookies, third party cookies, third party web beacons, cross-device-tracking, remarketing/retargeting, tracking, profiling, online behavioral advertising, web beacons, web analytics, social plugins (such as Facebook “like” button), widgets, third party online advertising, web analytics
Special security measures: Taboola only collects pseudonymised personal data - each user is assigned a unique and randomly-generated hashed Taboola User ID.
Opt-Out: https://www.taboola.com/privacy-policy#user-choices-and-optout.
Opt-Out specifically for use of cookies: https://www.taboola.com/cookie-policy
In addition, users may opt out of Taboola's services by using the opt out links provided by the NAI, DAA, or EDAA.
Necessity / interest in processing: Marketing and advertising.
External disclosure: Taboola, Inc., 1115 Broadway, 7th Floor, New York, New York 10010, USA
Privacy Policy: https://www.taboola.com/privacy-policy
Processing in third countries: USA
Retention of data: Taboola stores user information collected directly for ad serving purposes for a maximum of eighteen (18) months after the last interaction of the user with the Taboola services and anonymizes it by removing personal identifiers or aggregating the data. Taboola stores anonymous or aggregated data that cannot identify a person or a device and is used for reporting and analysis purposes for as long as this is commercially necessary. Taboola keeps opt-out information longer than this period, so Taboola can continue to comply with opt-out requests. Individual requests for deletion of user data: https://accessrequest.taboola.com/access.

Teads content distribution

With the help of Teads we market advertising material and advertising spaces within our online services.

Data processed: Usage data, metadata, advertising identifiers and/or other device identifiers. The IP address is shortened by the last two digits (IP-Masking).
Type, scope and mode of operation of the processing: permanent cookies, third party cookies, tracking, interest-based marketing, profiling, remarketing.
Special protective measures: Data Protection Addendum, Pseudonymization, Encryption of personal data, Access control, Security policy, Security auditing.
Opt-Out: https://teads.tv/privacy-policy/.
External disclosure: Teads SA, 5, rue de la BoucherieL-1247, Luxembourg.
Privacy Policy: https://teads.tv/privacy-policy/.
Processing in third countries: None.
Retention of data: For pseudonymous data 12 months from collection, longer-term for anonymous data.

Yieldlove

Yieldlove is a technology partner with whom we manage the placement of ads on our online services. Yieldlove's service includes other technology partners, for whose use consent is obtained (on the legal basis of the "IAB Europe Transparency & Consent Framework Policies" https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/). The exact information is provided to the users in the course of obtaining a so-called "Cookie-Consent-Layer".

An agreement on so-called joint responsibility has been concluded between and and Yieldlove (Article 26 GDPR). This means that we are jointly responsible for the processing (in particular the collection of data and its transmission to Yieldlove) in accordance with the law due to the use of Yieldlove. However, since Yieldlove is solely responsible for the technical implementation and we are not technically involved in the processing procedures (and in particular have no access to user data), Yieldlove assumes the internal responsibility for the technical processes and the fulfilment of data subject rights. For further information, please do not hesitate to contact us.

Processed data: Usage data, metadata.
Special categories of personal data: none.
Legal basis: Art. 6 (para. 1) lit. a GDPR.
Data subjects: User/ website visitor.
Purpose of processing: Display of advertising.
Type, scope and functioning of processing: permanent cookies, third-party cookies, tracking, conversion measurement, interest-based marketing, profiling, cross-device tracking.
Special security measures: IP masking, data processing contract, opt-out.
Opt-out: Via cookie settings.
External disclosure: Yieldlove GmbH Kehrwieder 9, 20457 Hamburg, Germany.
Privacy policy: https://www.yieldlove.com/cookie-policy.
Processing in third countries: USA (integrated providers).
Guarantee for processing in third countries: Standard contractual clauses.
Retention of data: Information in the "Cookie-Consent-Layer".

Newsletter Mailing and Performance Measurement

We will only send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter "newsletters") with the consent of the recipients or a legal permission. Subscribers' data is logged as we are required to provide documentation of registrations. We also keep track of whether newsletters have been opened and whether links have been clicked. This information is stored on a per-user basis for technical reasons, but is not used to monitor individual users, but rather, for example, to adapt content and services to users. Information that we should collect in addition to the e-mail address (e.g. name) is used to personally address the users or to adapt the contents of the newsletter to the users.

Contents of the newsletter: As indicated in the registration form, otherwise information about our services and our company.
Data processed: Inventory data (e-mail address), usage data (registration time, confirmation time double opt-in, IP address, opening of e-mail, time and place, time and click on a link in the newsletter).
Special categories of personal data: no.
Legal basis: Art. 6 (1) a., Art. 7 GDPR and § 7 (2) no. 3 UWG (sending and performance measurement), Art. 6 (1) f GDPR (logging, sending provider).
Data subjects: E-mail recipient
Purpose of processing: newsletter dispatch, optimization, proof of consent.
Type, scope and mode of operation of the processing: Web-Beacon.
Necessity / interest in processing: Only the e-mail information is required for sending, the other information is voluntary and serves to personalize and optimize the content based on the interests of the user; the obligation to provide evidence of consent is the reason for logging; performance measurement is based on legitimate interests in the optimization of the content for users and based on business interests
Opt-Out: An unsubscribe link is included in every newsletter.
External disclosure: Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA (Mailchimp).
Privacy Policy: https://mailchimp.com/legal/privacy/.
Processing in third countries: USA.
Retention of data: We may store the e-mail addresses we have unsubscribed for up to three years on the basis of our legitimate interests before we delete them for the purpose of sending the newsletter in order to be able to prove a previously given consent. The processing of these data is limited to the purpose of a possible defence against claims. An individual request for erasure is possible at any time, provided that at the same time the former existence of a consent is confirmed.

Communication via Mail, E-Mail, Fax or Telephone

Sending information material, contacting us by telephone.

Data processed: Inventory data, address and contact data, contract data.
Special categories of personal data: no.
Legal basis: Art. 6 (1) a, Art. 7 GDPR, Art. 6 (1) f GDPR in connection with legal requirements for advertising communications.
Data subjects: users, prospective users, communication partners.
Purpose of processing: Commercial communication.
Type, scope and mode of operation of the processing: Contact is only established with the consent of the contact partners or within the scope of legal permissions.
Necessity / interest in processing: Information and business interests.
External disclosure and purpose: No.
Processing in third countries: No.
Retention of data: With objection/ revocation or expiration of the legal basis of eligibility.

Sweepstakes and Competitions

In the course of sweepstakes and competitions (" sweepstakes" for short) we processed the data of the participants for the execution of the sweepstakes. Further information on the processing of your data within the scope of the individual sweepstakes as well as any consent to the publication of their names or contributions to the sweepstakes will be provided to the users within the conditions of participation of the respective sweepstakes.
content data (e.g. contributions to competitions).
Special categories of personal data: no.
Legal basis: 6 (1) b GDPR.
Data subjects: Participants
Purpose of processing: Conducting lotteries, notification of prizes, sending prizes, possibly presentation of winners.
External disclosure and purpose: Shipping companies for the purpose of sending the prizes, possibly partners and sponsors of prizes.
Processing in third countries: No, except for sending prizes abroad.
Retention of data: As soon as the data is not required for the competition (e.g. for inquiries regarding prizes); when winners or contributions to the competition are published, they remain permanently online; otherwise, in the event of a legal obligation (end of commercial law (6 years) and tax law (10 years) retention obligation)..

Optimization

In this section you will find information on data processing carried out by us for the purpose of optimising our website. Above all, it serves us to improve the usability and functionality of the website.

Amazon Personalize

We use the Amazon Personalize service to optimize a better user experience of Facebook instant games and related messenger bots, e.g. optimized content recommendations, better quiz results, ideal sending time, ideal content and ideal frequency for notifications, etc.

Processed data: Usage data (interactions with our Facebook Instant Game), pseudonymous user ID.
Legal basis: Art. 6 (I) lit. f DSGVO, Art. 28 (III) p. 1 GDPR.
Data subjects: Users of the instant game.
Necessity / interest in the processing: optimization of the user experience.
External disclosure: Amazon Web Services (AWS), Inc., 410 Terry Avenue North, Seattle, Washington 98109-5210, USA.
Privacy policy: https://aws.amazon.com/privacy.
Processing in third countries: USA
Special security measures: Data Processing Agreement, pseudonymisation with an encrypted value (i.e. AWS cannot assign the processed data to any natural person).
Storage of data/ Opt-Out: As soon as a user logs off from our Instant-Game, the corresponding attribution possibility by means of the pseudonym key ends for us.

Google Firebase

We use Google Firebase to enable users of our games on Facebook to keep their own guestbook where their friends can post entries and save results for the quizzes and games they have participated in.

Data processed: Inventory data, contact details, content data, usage data, metadata. For full list of personal data being collected, please refer to https://firebase.google.com/support/privacy
Special categories of personal data: none.
Legal basis: Art. 6 (1) lit b. GDPR
Data subjects: instant game users
Purpose of processing/Necessity / interest in processing: Providing the contractual services
Type, scope and mode of operation of the processing: Cookies, third party cookies, tracking, cross-device tracking, web analytics
Opt-Out: On Request.
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy Policy: https://policies.google.com/privacy, https://policies.google.com/privacy.
Processing in third countries: USA

Retention of data: On expiry of the Term, Google will delete all Customer Data (including existing copies) from Google's systems in accordance with applicable law. Google will, after a recovery period of up to 30 days following such expiry, delete all Customer Data as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage.

Web analytics, online marketing and technology partners

In this section we inform you which services of technology partners are used for web analytics and online marketing purposes. If we ask users for their consent (e.g. in the context of a so-called "cookie banner consent"), the legal basis for processing data for online marketing purposes is this consent. Otherwise, user data will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online services. In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.. Further explanations can be found in the definitions of terms, in particular on the functions and security measures, at the end of this Privacy Policy. The retention of the data is determined, unless otherwise stated, in accordance with the Privacy Policies of the technology partners.

Advanced Analytics

Analytics software that we use to measure usage and interaction with our services on or in connection with Meta platforms (by means of so-called events, such as viewing posts or clicking "Like" buttons) and to obtain demographic data about our users (e.g., age average, place of residence, language used). User data is processed by Meta for the purpose of displaying content and ads based on users' presumed interests based on user profiles. The data is only provided to us in aggregated, i.e. summarized form, so that we do not see the data of individual users. We use the results to design our content and services in a user-oriented manner.

Processed data: Usage data (e.g. websites visited, interest in content, access times); Meta/communication data (e.g. device information, IP addresses); Content data (e.g. entries in online forms); Event data (Facebook) ("Event data" is data that can be transmitted, e.g. via Facebook Pixel (via apps or other ways) by us to Facebook and relates to individuals or their actions; Data includes e.g.. Information about visits to websites, interactions with content, functions, installations of apps, purchases of products, etc.; Event data is processed for the purpose of forming target groups for content and advertising information (Custom Audiences); Event data does not include the actual content (such as written comments), no login information and no contact information (i.e. no names, email addresses and phone numbers). Event data will be deleted by Facebook after a maximum of two years, the target groups formed from them with the deletion of our Facebook account).
Type, scope, mode of operation of the processing: permanent cookies,tracking, conversion measurement, interest-based marketing, profiling, custom audiences from website.
Opt-Out: https://www.facebook.com/settings?tab=ads, http://www.youronlinechoices.com/uk/your-ad-choices/ (EU), http://www.aboutads.info/choices (US).
Disclosure external: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Privacy Policy: https://www.facebook.com/privacy/policy/.
Third country processing: USA on the basis of a contract processing agreement and standard contractual clauses.

Branch Metrics, Inc.

Branch Metrics provides a deep-link feature that allows links to be included that lead to specific sub-pages of an online service or app without directing users to the main page or with the ability to link to an app instead of a less usable mobile website. At the same time, the links can be better analyzed, which in turn allows us to better tailor the content to the users' needs. We are just using the free deep-linking feature of this service: https://branch.io/glossary/deep-linking/ and do not use it for advertising purposes.

Data processed: Inventory data, metadata, usage data.
Special categories of personal data: none.
Legal basis: Article 6 (1)(f) GDPR.
Data subjects: Employees, end users (indirectly via integrations with social sweethearts GmbH)
Purpose of processing: Implementing deep linking, improving end user in-app experience, customizing apps to users, providing, optimizing, researching and improving the Branch products and services, developing new products and services, collecting and reporting individualized and aggregated analytics metrics, enabling targeted messages to end users, marketing, compliance
Type, scope and mode of operation of the processing:
End users: Cookies, engagement data, tracking, click-tracking, cross-device tracking, demographic data, profiling, digital fingerprints, web-analytics, tracking pixels
Opt-Out: In the Privacy Policy: https://branch.io/policies/#privacy; User tracking opt-out page: https://branch.app.link/optout
Necessity / interest in processing: Legitimate business interests, improvement of usability of links.
External disclosure: Branch Metrics, Inc., 1400 Seaport Blvd, Building B, 2nd Floor, Redwood City, CA 94063, USA
Privacy Policy: https://branch.io/policies/#privacy
Processing in third countries: USA,
Guarantee in case of processing in third countries: standard contractual clauses.
Retention of data:
The data related to a user is deleted automatically if the user has been inactive for 30 days (up to 90 für specific services). Usage activity logs are kept for no more than 7 days (up to 60 days upon request by the client) and then deleted or pseudonymized. The pseudonymized logs are deleted are 12 months. Aggregated reporting metrics are retained (in aggregate and anonymized form) for up to 24 months.

Criteo

We use Criteo's services for personalized marketing purposes, e.g. to display advertisements within other websites based on the presumed interests of users or products already seen..

Data processed: Usage data, metadata, (cookie IDs, hashed e-mail addresses, mobile advertising IDs, other technical IDs that allow Criteo to individually record the online behaviour of individuals without making them directly identifiable).
Legal basis: Art. 6 (I) lit. f GDPR.
Data subjects: Website users
Type, scope and mode of operation of the processing: Opt-out, IP masking (complete IP addresses are only used for the purpose of fraud detection and allocation of sales to users for the purpose of measuring success), pseudonymisation.
Special security measures: IP masking (full IP addresses are only used for fraud detection purposes, and assignment of sales to users for performance measurement purposes).
Opt-Out: Yes, via https://www.criteo.com/privacy
External disclosure: Criteo GmbH, Gewürzmühlstr. 11, 80538 Munich, Germany.
Privacy Policy: https://www.criteo.com/de/privacy

e-dialog GmbH

Search engine optimization (SEO), Optimization, Management of Google Services. Please note: Google Services are used in a sub-subprocessing relationship, e-dialog GmbH is the direct subprocessor.

Data processed: Usage data, metadata, Customer Personal Data may include the types of personal data described at https://privacy.google.com/businesses/adsservices
Legal basis: Art. 6 (I) lit. f GDPR.
Data subjects: Website visitors.
Purpose of processing:
Type, scope and mode of operation of the processing: Third party cookies, clicktracking, profiling, remarketing, web-analytics, demographic data, facebook pixel.
Special security measures: Durch die Aktivierung der IP-Anonymisierung auf dieser Website, wird Ihre IP-Adresse von Google jedoch innerhalb von Mitgliedstaaten der Europäischen Union oder in anderen Vertragsstaaten des Abkommens über den Europäischen Wirtschaftsraum zuvor gekürzt. Nur in Ausnahmefällen wird die volle IP-Adresse an einen Server von Google in den USA übertragen und dort gekürzt.
Opt-Out: Same opt-out options as in the case of Google services.
Necessity / interest in processing: Economic interests.
External disclosure: List of subprocessors: e-dialog GmbH, Woldeforster Str. 6, 17109 Demmin, Germany.
Privacy Policy: https://www.e-dialog.at/datenschutz
Processing in third countries: USA
Retention of data: With regards to Google services, as in the case of Google.

Google Tag Manager

Google Tag Manager is a tool that allows us to manage so-called website tags via an interface (and thus integrate Google Analytics and other Google marketing services into our online serviced,). The Tag Manager itself (which implements the tags) does not process any personal data of the users. With regard to the processing of users' personal data, reference is made to the following information on the Google services. Usage guidelines: https://www.google.com/intl/de/tagmanager/use-policy.html.

Google Analytics

We use Google Analytics to perform measurement and analysis of the use of our online services by users based on a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It is used to assign analysis information to an end device in order to recognize which content users have accessed within one or various usage processes, which search terms they have used, have accessed again or have interacted with our online services. Likewise, the time of use and its duration are stored, as well as the sources of users referring to our online services and technical aspects of their end devices and browsers. In the process, pseudonymous profiles of users are created with information from the use of various devices, and cookies may be used. In Analytics, higher level geographic location data is provided by collecting the following metadata based on IP search: "city" (and the derived latitude and longitude of the city), "continent", "country", "region", "subcontinent" (and the ID-based equivalents). To ensure the protection of user data in the EU, Google receives and processes all user data via domains and servers within the EU. The IP address of users is not logged and is shortened by the last two digits by default. The shortening of the IP address takes place on EU servers for EU users. In addition, all sensitive data collected from users in the EU is deleted before it is collected via EU domains and servers.

We use Google Analytics also to display ads placed by Google and its partnersonly to users who have shown an interest in our online services or who have specific characteristics (e.g. interests in specific topics or products determined on the basis of the websites visited) that we transmit to Google (so-called "Remarketing Audiences" or "Google Analytics Audiences"). With the help of remarketing audiences, we also want to ensure that our ads match the potential interest of users

Data processed: Usage data, metadata.
Type, scope and mode of operation of the processing: Universal analytics, cross-device-tracking, permanent cookies, third party cookies, tracking, interest based marketing, profiling, custom audiences, remarketing.
Special security measures: pseudonymisation, IP masking, conclusion of order processing contract, opt-out.
Opt-Out: http://tools.google.com/dlpage/gaoptout?hl=en (browser add-on), https://adssettings.google.com/ (setting for advertisements).
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy Policy: https://policies.google.com/privacy.
Data processing agreement and standard contractual clauses: https://business.safety.google/adsprocessorterms.
Processing in third countries: USA.
Retention of data: 14 months.

Google Ads/ AdWords

We use Google AdWords to place ads to measure the success of the ads we place on Google's and Google partner's websites.

Data processed: Usage data, metadata.
Type, scope and mode of operation of the processing: Universal analytics, permanent cookies, third party cookies, tracking, conversion measurement, interest based marketing, profiling, cross-device-tracking.
Special security measures: Pseudonymisation, IP masking, conclusion of order processing contract, opt-out.
Opt-Out: https://adssettings.google.com/.
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy Policy: https://policies.google.com/privacy.
Processing in third countries: USA.
Retention of data: The data may be processed by Google for up to two years before it is anonymised or deleted.

Google Doubleclick

We use Google Doubleclick to place ads and to measure the success of the ads we place on Google's and Google partner's websites.

Data processed: Usage data, metadata.
Type, scope and mode of operation of the processing: Universal analytics, permanent cookies, third party cookies, tracking, conversion measurement, interest based marketing, profiling, cross-device-tracking.
Special security measures: Pseudonymisation, IP masking, conclusion of order processing contract, opt-out.
Opt-Out: https://adssettings.google.com/.
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy Policy: https://policies.google.com/privacy.
Processing in third countries: USA.
Retention of data: The data may be processed by Google for up to two years before it is anonymised or deleted.

Google AdMob

We use Google AdMob to measure the success of ads in mobile applications.

Data processed: Usage data, metadata.
Type, scope and mode of operation of the processing: Tracking, conversion measurement, interest based marketing, profiling, cross-device-tracking (https://admob.google.com/home/).
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy Policy: https://policies.google.com/privacy.
Processing in third countries: USA.
Retention of data: The data may be processed by Google for up to two years before it is anonymised or deleted.

Facebook Pixels and Custom Audiences

We use the Facebook pixel to form target groups and measure the success of the ads we place on Facebook and to build target groups for ads.

With the help of the Facebook pixel (or equivalent functions, to transfer Event-Data or Contact Information via interfaces or other software in apps), Facebook is on the one hand able to determine the visitors of our online services as a target group for the presentation of ads (so-called "Facebook ads"). Accordingly, we use Facebook pixels to display Facebook ads placed by us only to Facebook users and within the services of partners cooperating with Facebook (so-called "audience network" https://www.facebook.com/audiencenetwork/) who have shown an interest in our online services or who have certain characteristics (e.g. interests in certain topics or products that are determined on the basis of the websites visited) that we transmit to Facebook (so-called "custom audiences"). With the help of Facebook pixels, we also want to ensure that our Facebook ads correspond to the potential interest of users and do not appear annoying. The Facebook pixel also enables us to track the effectiveness of Facebook ads for statistical and market research purposes by showing whether users were referred to our website after clicking on a Facebook ad (known as "conversion tracking").

We are jointly responsible (so-called "joint-controllership") with Meta Platforms Ireland Limited for the collection or transmission (but not the further processing) of "event data" that Facebook collects or receives as part of a transmission for the following purposes using the Facebook pixel and comparable functions (e.g. APIs) that are implemented in our online services: a) displaying content advertising information that matches users' presumed interests; b) delivering commercial and transactional messages (e.g. b) delivering commercial and transactional messages (e.g., addressing users via Facebook Messenger); c) improving ad delivery and personalizing features and content (e.g., improving recognition of which content or advertising information is believed to be of interest to users). We have entered into a special agreement with Facebook ("Controller Addendum", https://www.facebook.com/legal/controller_addendum), which specifically addresses the security measures that Facebook must take (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to comply with the rights of data subjects (i.e., users can, for example, submit information access or deletion requests directly to Facebook). Note: If Facebook provides us with measurements, analyses and reports (which are aggregated, i.e. do not contain information on individual users and are anonymous to us), then this processing is not carried out within the scope of joint responsibility, but on the basis of a DPA ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing), the "Data Security Conditions" (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the USA, on the basis of Standard Contractual Clauses ("Facebook EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of users (in particular to access to information, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook.

Data processed: Usage data, metadata; if users are registered with Facebook, the data is linked to their Facebook profiles and data belonging to them (in particular inventory data).
Type, scope and mode of operation of the processing: Permanent cookies, third party cookies, tracking, conversion measurement, interest based marketing, profiling, custom audiences from website, cross-device-tracking.
Special security measures: Encrypted communication between Facebook and our website.
Opt-Out: https://www.facebook.com/settings?tab=ads, http://www.youronlinechoices.com/uk/your-ad-choices/ (EU), http://www.aboutads.info/choices (US).
External disclosure: Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, Europe: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Privacy Policy: https://www.facebook.com/policy.php.
Processing in third countries: USA.
Retention of data: The data will be deleted by Facebook and will be deleted if the user's data is deleted as part of the termination.

OpenX

OpenX Services include the Ad Exchange, a Web-based marketplace that enables publishers, advertisers, and ad networks to efficiently market, buy and sell digital and mobile advertising and ad inventory. OpenX also offers services, such as the Ad Server, through which OpenX acts as a service provider to enable Publishers, advertisers, ad networks, and other clients to manage their advertising inventory and to collect and use data to provide advertising on their digital and mobile properties and across the Internet. In this case, Publishers may use our services to process data, which they collect or source.

Data processed: Usage data (IP addresses), metadata, location data.
Type, scope and mode of operation of the processing: Permanent cookies, third party cookies, tracking, remarketing, online behavioural advertising, profiling.
Special security measures: Opt-Out, Data Processing Agreement.
Opt-Out: https://www.openx.com/legal/interest-based-advertising.
External disclosure and purpose: OpenX Technologies, Inc. 888 E. Walnut Street Pasadena, California 91101, USA
Processing in third countries: USA.
Privacy Policy: https://www.openx.com/legal/privacy-policy/.
Retention of data: https://docs.openx.com/Content/publishers/reporting_doc_retainingdata.html.

Outbrain

We use the Outbrain service for personalised marketing purposes, e.g. to display advertisements within our websites based on the presumed interests of users.

Data processed: Usage data, metadata, IP-Address (truncated), usaage of a pseudonymous Unique User ID (UUID).
Type, scope and mode of operation of the processing: Permanent cookies, third party cookies, tracking, remarketing, online behavioural advertising, profiling.
Special security measures: Opt-Out, IP-Masking (Pseudonymisation).
Opt-Out: https://www.outbrain.com/legal/amplify-terms#privacy-policy.
External disclosure and purpose: Outbrain Inc, 39 West 13th Street, 3rd floor, New York, NY 10011, USA.
Privacy Policy: https://www.outbrain.com/legal/amplify-terms#privacy-policy.
Processing in third countries: USA.
Retention of data: The stored personal data will be deleted after 13 months.

Snap Pixel

With the help of Snap Pixels we can see if our marketing activities within the Snapchat app have sparked the interest of users in our services.The snap pixel is used by us in the context of the online service https://stickertest.com/ and www.testony.com .

Processed data: Usage data, meta data; if users are registered with Snapchat, the data is linked to their Snapchat profiles and associated data (especially inventory data).
Type, scope, mode of processing: permanent cookies, third party cookies, tracking, conversion measurement, interest based marketing, profiling.
Opt-out: https://www.snap.com/en-US/cookie-policy/. http://www.youronlinechoices.com/uk/your-ad-choices/ (EU), http://www.aboutads.info/choices (US).
External disclosure: Snap Inc., 3000 31st Street, Santa Monica, California 90405, USA.
Privacy Policy: https://www.snap.com/de-DE/privacy/privacy-policy, Cookie Policy: https://www.snap.com/en-US/cookie-policy.
Processing in third countries: USA.
Third Country Guarantee: Standard Contractual Clauses: https://www.snap.com/de-DE/terms/standard-contractual-clauses.
Retention of data: Deletion of data is done by Snapchat and occurs when customer data is deleted as part of the cancellation process. The cookies can be stored for up to two years.

Supermetrics

We use Supermetrics marketing add-on to report, monitor and analyse our marketing campaigns.

Data processed: Usage data, analytics data, Facebook Insights data.
Special categories of personal data: none.
Legal basis: Article 6(1)(f) GDPR or Article 6(1)(a) in case we ask for an consent beforehand (e. g. in a cookie opt-in consent manager).
Data subjects: users.
Purpose of processing: Processing of usage and analytics data for marketing purposes.
Type, scope and mode of operation of the processing: Cookies, third party cookies, web-analytics, remarketing/ retargeting, tracking, click-tracking, web beacons, online behavioural advertising.
Special security measures: Query results cache is strongly encrypted. Personal data is extremely restricted and is only accessed upon the written request or in the case where Supermetrics need to debug and solve problems, and in each case such access is audited. The security is audited annually by an external third party. Data transfers are done using SSL encrypted HTTPS connections
Opt-Out: Opt-out links in the Privacy Policy: https://supermetrics.com/privacy-policy
Necessity / interest in processing: Legitimate business purposes, user consent, providing contractual services
External disclosure: Supermetrics Oy, Company ID: 2552282-5, Mikonkatu 700100 Helsinki, Finland
Privacy Policy: https://supermetrics.com/privacy-policy
Processing in third countries: USA
Guarantee when processing in third countries: DPA & Standard Contractual Clauses.
Retention of data: As a data processor: Most processing of personal data is done in real time and deleted afterwards. In some cases Supermetrics cache query results to improve performance. Any Such caches are deleted once they are unnecessary and latest when the customer ceases to use Supermetrics products. As a data controller: The personal data will be stored only as long as it is necessary for the performance of the contract with the Controller and for the purposes set out above. Supermetrics will delete the information once it is no longer needed for those purposes.

Taboola

We use the Taboola service for personalised marketing purposes, e.g. the presentation of advertisements within other online offers based on the presumed interests of users.

Data processed: Usage data, metadata.
Type, scope and functioning of processing: permanent cookies, third party cookies, fingerprints, tracking, remarketing, interest-based marketing, web beacons, profiling.
Special protective measures: IP masking, opt-out.
Opt-Out: https://www.taboola.com/privacy-policy#users-2-5.
External disclosure: Taboola, Inc., Kings Court, 2-16 Goodge Street, 2nd fl., London W1T 2QA, UK.
Privacy Policy: https://www.taboola.com/privacy-policy.
processing in third countries: no.

Webflow

We use Webflow services to build static websites, which may include online forms.

Data processed: Inventory data, contact details, content data (survey responses, forum or blog posts), usage data, billing information, metadata.
Special categories of personal data: none.
Legal basis: Art. 6 (1) f. GDPR.
Data subjects: Website Visitors, Employees.
Purpose of processing: Ensuring network and information security, providing service communications, improving quality control, providing customer service, enhancing user experience, research & development including web analytics, marketing.
Type, scope and mode of operation of the processing: Cookies, third party cookies, web beacons, web analytics, tracking, clicktracking, cross-device tracking, facebook pixel and remarketing service, profiling, online behavioral advertising, remarketing/retargeting
Opt-Out: Opt-Out options in particular for third party analytics and advertising in Cookie Policy: https://webflow.com/legal/cookie-policy
Necessity / interest in processing: Increased usability, legitimate business purposes.
External disclosure: Webflow, Inc., 208 Utah, Suite 210, San Francisco, CA 94103, United States
Privacy Policy: https://webflow.com/legal/eu-privacy-policy
Processing in third countries: USA.
Guarantee when processing in third countries: DPA & Standard Contractual Clauses in case of the transfer of user data originating in the EU to third countries.
Retention of data: Webflow limits their storage of the Personal Information to the amount of time necessary to fulfil the purposes for which Webflow collected the Personal Information, including for the purposes of satisfying any legal, accounting, or reporting obligations, or to resolve disputes. The standard retention periods for Personal Information are:
- Browser interaction data, such as cookies and trackers, is kept for a period of up to one year from expiry of the cookie or date of collection. - Product analytics data is kept for up to 5 years, and automatically deleted on an ongoing basis.

Profiles in Social Networks (Social Media)

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may entail risks for users, e.g. by making it more difficult to enforce users' rights.

In addition, user data is usually processed within social networks for market research and advertising purposes. For example, user profiles can be created on the basis of user behaviour and the associated interests of users. The user profiles can then be used, for example, to place advertisements within and outside the networks which are presumed to correspond to the interests of the users. For these purposes, cookies are usually stored on the user's computer, in which the user's usage behaviour and interests are stored. Furthermore, data can be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective networs or will become members later on).

For a detailed description of the respective processing operations and the opt-out options, please refer to the respective data protection declarations and information provided by the providers of the respective networks.

Also in the case of requests for information and the exercise of rights of data subjects, we point out that these can be most effectively pursued with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. If you still need help, please do not hesitate to contact us.

Facebook: We are jointly responsible (so called "joint controller") with Meta Platforms Ireland Limited for the collection (but not the further processing) of data of visitors to our Facebook page. This data includes information about the types of content users view or interact with, or the actions they take (see "Things that you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/policy), and information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie information; see "Device Information" in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under "How we use this information?" Facebook also collects and uses information to provide analytics services, known as "page insights," to site operators to help them understand how people interact with their pages and with content associated with them. We have concluded a special agreement with Facebook ("Information about Page-Insights", https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular the security measures that Facebook must observe and in which Facebook has agreed to fulfill the rights of the persons concerned (i.e. users can send information access or deletion requests directly to Facebook). The rights of users (in particular to access to information, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the "Information about Page Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data).

Processed data types: Inventory data (e.g. names, addresses), Contact data (e.g. e-mail, telephone numbers), Content data (e.g. text input, photographs, videos), Usage data (e.g. websites visited, interest in content, access times), Meta/communication data (e.g. device information, IP addresses).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of Processing: Contact requests and communication, Targeting (e.g. profiling based on interests and behaviour, use of cookies), Remarketing, Web Analytics (e.g. access statistics, recognition of returning visitors).
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Services and service providers being used: Facebook: Social network; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Opt-Out: Settings for advertisements: https://www.facebook.com/settings?tab=ads.

Section IV - Definitions

This section provides an overview of the terms used in this Privacy Policy. Many of the terms are taken from the law and defined above all in Art. 4 GDPR. The legal definitions are binding. The following explanations, on the other hand, are intended primarily for understanding. The terms are sorted alphabetically.

A/B Tests - A/B Tests are designed to improve the usability and performance of online services. For example, users are shown different versions of a website or its elements, such as input forms, on which the placement of the content or labels of the navigation elements can differ. Subsequently, it is possible to determine which of these websites or elements are more suited to the needs of the users on the basis of the users' behaviour, e.g. longer stays on the website or more frequent interaction with the elements of the website.
Affiliate Links - Affiliate links are links that are used to refer users to websites with product or other offers. The operators of the respective linking websites can receive a commission if users follow the affiliate links and then take advantage of the offers. For this it is necessary that the providers can track whether users who are interested in certain offers subsequently purchase them at the initiative of the affiliate links. Therefore, the functionality of affiliate links requires that they be supplemented by certain values that become part of the link or are otherwise stored, e.g. in a cookie. The values include in particular the initial website (referrer), the time, an online identification of the operator of the website on which the affiliate link was located, an online identification of the respective offer, an online identification of the user, as well as tracking specific values such as, for example, advertising material ID, partner ID and categorisations.
After-Sales - "After Sales" is a marketing procedure in which, for example, customers of an online shop are presented with advertising offers from other companies (which are usually based on the services or products purchased in the online shop). Furthermore, the functionality of after-sales corresponds to the functionality of affiliate links.
Aggregated Data - Aggregated data is pooled data that cannot be traced back to a person and is therefore not personal. For example, visit times on a website can be saved as median values.
Anonymous data - Anonymity occurs when a person cannot at least be identified by the controller using the reasonable means at his disposal on the basis of data. In particular, aggregated data may be anonymous.
Clicktracking - "Clicktracking" allows to track the movements of users within an entire website. Since the results of these tests are more accurate if the user interaction can be monitored over a certain period of time (e.g. if a user likes to return), cookies are usually stored on the user's computers for these test purposes.
Consent – „consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Conversion - "Conversion", or "Conversion measurement" refers to a procedure with which the effectiveness of marketing measures can be determined. As a rule, a cookie is stored on the user's devices within the websites on which the marketing activities take place and then retrieved again on the target website (e.g. this enables us to trace whether the ads we placed on other websites were effective).
Cookies - Cookies are small files that are stored on the user's computer. Different data can be stored in the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after his or her visit to an website. Temporary cookies, or "session cookies" or "transient cookies", are cookies that are deleted after a user leaves an website and closes his browser. In such a cookie, for example, the content of a shopping basket in an online shop or a login status within a community can be stored. Cookies are referred to as "permanent" or "persistent" if they are stored even after the browser is closed. For example, the login status can be saved permanently. Likewise, the interests of users used for web analytics or marketing purposes (see e.g. "Remarketing") may be stored in such a cookie. As a "third party cookie", cookies are offered by providers other than the operator of the website (otherwise, if they are only the operators cookies, they are referred to as "first party cookies").
Contact Information (Facebook) - "Contact Information" is data that (clearly) identifies data subjects, such as names, email addresses and phone numbers, that can be transmitted to Facebook, e.g. via Facebook pixels or uploads for matching purposes to form Custom Audiences; After the matching to create target groups, the Contact Information is deleted.
Cross-Device-Tracking - Cookies and fingerprints are device-related. Cross-device tracking is required to evaluate the interests of users using smartphones for advertising on desktop PCs. Logins in social networks such as Facebook, for example, can be used for this purpose. Alternatively, location data, IP addresses and user behavior are used to achieve up to 98% more precise user restriction. Cookies and web beacons are usually used for cross-device tracking purposes.
Custom Audiences - Custom audiences are people who are targeted for advertising purposes, e.g. the display of advertisements. For example, based on a user's interest in certain products or topics on the Internet, it may be concluded that the user is interested in advertisements for similar products or the online shop in which he has viewed the products. "Lookalike audiences" are users whose profiles or interests presumably correspond to the users for whom the profiles were created. Cookies and web beacons are usually used for the purpose of creating custom audiences and lookalike audiences. "Custom Audiences from Website" means that the target groups are formed on the basis of visitors of the own website. "Custom Audiences from File" means that, for example, a list of e-mail addresses is uploaded to the respective advertising network or platform to form the target group.
Data subject - See "Personal data".
Demographic Data - Demographic data are general information about groups of people or persons, e.g. characteristics such as age, gender, place of residence and social characteristics such as occupation, marital status or income. Demographic data is collected within the scope of web analytics and in online marketing for the purposes of online behavioural marketing or for business analyses that are used, for example, to determine the target groups.
Embedding - Embedding involves integrating external content or software functions (see "Plug-ins") into one' s own website in such a way that they are displayed or executed on this website. No copy of the content is created because it is called from the original server (e.g. videos, images, posts on social networks, widgets with ratings). With embedding, it is technically necessary for the provider of the content to obtain the IP address of the user in order to display the embedded content in the user's browser. Furthermore, the content provider may, for example, store cookies on the user's devices.
Advanced matching - The "advanced matching" is a Facebook pixel option, which means that inventory data such as phone numbers, email addresses or Facebook IDs of users are transmitted to Facebook in encrypted form to form target groups for Facebook ads and are used only for this purpose.
Error tracking - During error tracking, e.g. incorrectly executed program code is detected in order to eliminate it and thus guarantee the functionality and security of websites.
Event Data (Facebook) - "Event Data" is data that can be transmitted from us to Facebook, e.g. via Facebook pixels (via apps or other means) and relates to persons or their actions; the data includes, for example, information about visits to websites, interactions with content, functions, installations of apps, purchases of products, etc.; Event data is processed for the purpose of creating target groups for content and advertising information (Custom Audiences); Event Data does not include the actual content (such as written comments), login information, and Contact Information (such as names, email addresses, and phone numbers). Event Data is deleted by Facebook after a maximum of two years, the Custom Audiences created from them with the deletion of our Facebook account.
Fingerprints and other online identifiers - "Fingerprints" correspond in their function to cookies, whereby the storage of a file on the user's device is not required. These digital fingerprints can be individually created as cross sums of individual factors of devices, e.g. computing power or browser plug-ins for devices, and thus used for web analytics, profiling, remarketing, online- and behavioral advertising.
First-Party Cookies – See „Cookies”.
Heatmaps - "Heatmaps" are mouse movements of the users, which are combined to an overall picture, with the help of which e.g. it is possible to recognize which website elements are preferred and which website elements users prefer less.
IP address - The IP address ("IP" stands for Internet Protocol) is a sequence of numbers that can be used to identify devices connected to the Internet. When a user visits a website on a server, he informs the server of his IP address. The server then knows that it must send the data packets containing the content of the website to this address.
IP Masking - IP masking is a method in which the last octet, i.e. the last two numbers of an IP address, are deleted so that the IP address can no longer be used to uniquely identify a person. Therefore, IP masking is a means of pseudonymizing processing methods, especially in online marketing.
Online behavioral advertising (OBA) - online behavioral advertising is the term used when profiling is used to assess the potential interest of users in advertising. Cookies and web beacons are usually used for these purposes.
Lookalike Audiences – See “Custom Audiences”.
Opt-in - The term "opt-in" means, depending on the context, the same as registration or consent.. If a registration (e.g. by entering an e-mail address in an online form field) is confirmed by sending an e-mail with a confirmation link to the owner of the e-mail address, this is referred to as a Double-Opt-In (DOI).
Opt-Out - The term Opt-Out means unsubscription and may be an objection (e.g. against tracking) or a cancellation (e.g. for newsletter subscriptions).
Opt-Out-Cookie - An "Opt-Out-Cookie" is a small file (see "Cookies") which is stored in your browser and in which it is noted that, for example, a tracking service should not process your data. The "opt-out cookie" only applies to the browser in which it was saved, i.e. in which you clicked the opt-out link. If cookies are deleted in this browser, you must click the opt-out link again. Furthermore, an opt-out link can only be limited to the domain on which the opt-out link was clicked.
Permanent Cookies – See „Cookies”.
Personal Data - "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Plugins/ Social Plugins - Plugins (or "Social Plugins" in the case of social functions) are external software functions that are integrated into a website. For example, they can be used to output interaction elements (e.g., a "I like" button) or content (e.g., external commenting function or postings in social networks).
Processor - "Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Profiling - "Profiling" means any automated processing of personal data consisting in the use of such personal data to analyse, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this includes information regarding age, gender, location and movement data, interaction with websites and their contents, shopping behaviour, social interactions with other people) (e.g. interests in certain contents or products, click behaviour on a website or the location). Cookies and web beacons are often used for profiling purposes.
Pseudonymisation/ Pseudonyms - "Pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; E.g. if an exact interest profile of the computer user is stored in a cookie (a "marketing avatar"), but not the name of the user, then data is processed pseudonymously. If his name is stored, e.g. as part of his e-mail address or his IP address is stored, then the processing is no longer pseudonymous.
Third countries - Third countries are countries in which the GDPR is not directly applicable law, i.e. in general states that do not belong to the European Union (EU) or the European Economic Area (EEA).
Web Analytics - Web Analytics is used to evaluate the visitor flows of a website and can include their behaviour, interests or demographic information, e.g. age or gender. With the help of range analysis, website owners, for example, can see what types of people visit their website at what time and what content they are interested in. This enables them, for example, to better optimize the content of the website to the needs of their visitors. Cookies and web beacons are often used for Web Analytics purposes.
Remarketing/ Retargeting - "Remarketing" or "Retargeting" is used when, for example, for advertising purposes is noted which products a user is interested in on a website in order to remind the user on other websites of these products, e.g. in advertisements. Cookies are usually used for retargeting purposes.
Session Cookies – See „Cookies”.
Single-Sign-On - Single-Sign-On" or "Single-Sign-On-Authentication" is a procedure that allows users to log on to an online service, using other online services, they are members with. A requirement for Single-Sign-On authentication is that users are registered with the respective Single-Sign-On provider and enter the required credentials on the web form provided for this purpose. Authentication takes place directly with the respective single sign-on provider. As part of such authentication, we receive a user ID with the information that the user is logged in under this user ID at the respective single sign-on provider and an ID that can no longer be used by us (so-called "user handle"). Whether we receive further data depends solely on the single sign-on procedure used, the selected data shares as part of authentication and also which data users have authorised in the privacy or other settings of the user account with the single sign-on provider. Depending on the single sign-on provider and the choice of users, it can be different data, usually the e-mail address and the user name. The password entered as part of the single sign-on procedure is neither visible to us nor is it stored by us. Users are asked to note that their data stored with us can be automatically synchronized with their user account with the Single-Sign-On provider, but this is not always possible or actually occurs. If, for example, the e-mail addresses of users change, users must change these manually in their user account at our site. If users decide that they no longer want to use their user account link with the Single-Sign-On provider for the Single-Sign-On procedure, they must cancel this link within their user account held with the Single-Sign-On provider. If users wish to erase their data from our system, they must cancel their registration at our service.
Special categories of personal data - Data identifying racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, health data or data relating to a natural person's sex life or sexual orientation.
Third Party - “Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Third-Party Cookies – See „Cookies”.
Tracking - Tracking is defined as when the behaviour of users can be traced across several online offers, e.g. for remarketing purposes. The behavioral and interest information collected with regard to the online services used is stored as user profiles in cookies or on the servers of marketing service providers (e.g. Google or Facebook).
Universal Analytics - "Universal Analytics" is a Google Analytics process in which the user analysis is based on a pseudonymous user ID and a pseudonymous profile of the user with information from the use of various devices is created ("cross-device tracking").
Controller – “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processing – “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Tracking pixels – See Web-Beacons.
Web beacons - Web beacons (or "pixels", "measuring pixels" or "tracking pixels") are small, pixel-sized graphics that are integrated into Web pages or HTML e-mails. For example, they allow to determine whether an e-mail has been opened (at least if the image display in e-mails is enabled) or how often a website is accessed by a user.
Widgets – See Embedding.