Data Privacy
Preamble
With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to shortly as "data") that we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the provision of our services and especially on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").
The terms used are not gender-specific.
Date: March 13, 2024
Controller
Marvin Kerkhoff Grenzweg 1 61200 Wölfersheim
Email address: mail@marvinkerkhoff.de
Processing Overview
The following overview summarizes the types of processed data and the purposes of their processing and refers to the affected individuals.
Types of processed data
Inventory data; Contact details; Content data; Usage data; Meta, communication, and procedural data
Categories of affected individuals
Communication partners & Users
Purposes of processing
Contact inquiries and communication; Security measures; Direct marketing; Reach measurement; Administration and response to inquiries; Feedback; Profiles with user-related information; Provision of our online offering and user-friendliness; Information technology infrastructure
Relevant Legal Bases
Relevant Legal Bases according to the GDPR:
Below, you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence. Furthermore, if more specific legal bases are relevant in individual cases, we will inform you about these in the privacy policy.
Consent (Art. 6 (1) (a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Legitimate interests (Art. 6 (1) (f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
National Data Protection Regulations in Germany: In addition to the GDPR, national data protection regulations apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG). The BDSG contains special regulations regarding the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases, including profiling. Furthermore, data protection laws of the individual federal states (Landesdatenschutzgesetze) may apply.
Reference to the Applicability of the GDPR and Swiss DPA: These data protection notices serve both to provide information under the Swiss Federal Act on Data Protection (Swiss DPA) and under the General Data Protection Regulation (GDPR). For this reason, please note that due to broader spatial application and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms used in the Swiss DPA such as "processing" of "personal data," "predominant interest," and "particularly sensitive personal data," the terms used in the GDPR such as "processing" of "personal data," "legitimate interest," and "special categories of data" are used. However, the legal significance of the terms continues to be determined under the Swiss DPA.
Security Measures
We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, the nature, scope, circumstances, and purposes of processing, as well as the varying probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.
These measures include, in particular, securing the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, transmission, ensuring availability, and their separation. Furthermore, we have established procedures to ensure the exercise of data subject rights, deletion of data, and responses to data breaches. We also consider the protection of personal data in the development or selection of hardware, software, and procedures in accordance with the principle of data protection, through technical design and by implementing privacy-friendly settings.
IP Address Truncation: If IP addresses are processed by us or by the service providers and technologies used, and the processing of a full IP address is not necessary, the IP address is truncated (also known as "IP masking"). In this process, the last two digits, or the last part of the IP address after a period, are removed, or replaced with placeholders. Truncating the IP address aims to prevent or significantly hinder the identification of a person based on their IP address.
TLS/SSL Encryption (https): To protect user data transmitted through our online services, we use TLS/SSL encryption. Secure Sockets Layer (SSL) is the standard technology for securing internet connections by encrypting the data transmitted between a website or app and a browser (or between two servers). Transport Layer Security (TLS) is an updated and more secure version of SSL. Hyper Text Transfer Protocol Secure (HTTPS) is displayed in the URL when a website is secured by an SSL/TLS certificate.
Transfer of Personal Data
As part of our processing of personal data, it may occur that the data is transferred to other entities, companies, legally independent organizational units, or individuals, or disclosed to them. Recipients of this data may include, for example, IT service providers or providers of services and content integrated into a website. In such cases, we comply with legal requirements and particularly enter into contracts or agreements with recipients of your data that serve to protect your data.
Transfer of data within the organization: We may transfer personal data to other units within our organization or grant them access to this data. If such transfer is for administrative purposes, it is based on our legitimate business and operational interests, or it occurs if it is necessary to fulfill our contractual obligations, or when consent from the data subjects or legal permission is present.
Provision of the Online Offering and Web Hosting
We process user data to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.
Processed data types: Usage data (e.g., visited web pages, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status). Affected individuals: Users (e.g., website visitors, users of online services). Purposes of processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures. Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR).
Additional information on processing procedures, procedures, and services:
Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files." Server log files may include the address and name of the accessed web pages and files, date and time of access, transmitted data volumes, message about successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files can be used for security purposes, such as avoiding server overload (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure the load and stability of the servers; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR). Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is necessary for evidence purposes are excluded from deletion until the final clarification of the respective incident. Host Europe: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: Host Europe GmbH, Hansestrasse 111, 51149 Cologne, Germany; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.hosteurope.de; Privacy Policy: http://www.hosteurope.de/AGB/Datenschutzerklaerung/. Data Processing Agreement: https://www.hosteurope.de/Dokumente/.
Contact and Inquiry Management
When contacting us (e.g., by post, contact form, email, telephone, or via social media) as well as within existing user and business relationships, the information provided by the inquiring individuals is processed to the extent necessary to respond to the contact inquiries and any requested measures.
- Processed data types: Contact details (e.g., email, telephone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited web pages, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Affected individuals: Communication partners.
- Purposes of processing: Contact inquiries and communication; Administration and response to inquiries; Feedback (e.g., collecting feedback via online form); Provision of our online offering and user-friendliness.
- Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR).
Additional information on processing procedures, procedures, and services:
Contact form: When users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context to handle the reported issue; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
Promotional Communication via Email, Post, Fax, or Telephone
We process personal data for the purpose of promotional communication, which may take place through various channels, such as email, telephone, post, or fax, in accordance with legal requirements.
Recipients have the right to revoke granted consents at any time or to object to promotional communication at any time.
After revocation or objection, we store the data necessary to prove the previous authorization for contact or sending for up to three years after the end of the year of revocation or objection based on our legitimate interests. The processing of this data is limited to the purpose of possible defense against claims. Based on the legitimate interest of permanently considering the revocation or objection of users, we also store the data necessary to avoid re-contact (e.g., depending on the communication channel, the email address, telephone number, name).
- Processed data types: Inventory data (e.g., names, addresses); Contact details (e.g., email, telephone numbers).
- Affected individuals: Communication partners.
- Purposes of processing: Direct marketing (e.g., via email or postal mail).
- Legal basis: Consent (Art. 6 (1) (a) GDPR); Legitimate interests (Art. 6 (1) (f) GDPR).
Web Analysis, Monitoring, and Optimization
Web analysis, also known as "reach measurement," is used to evaluate the visitor traffic of our online offering and may include pseudonymous values such as behavior, interests, or demographic information about the visitors, such as age or gender. With the help of reach analysis, we can, for example, identify the times when our online offering or its functions or content are most frequently used or invite for reuse. Likewise, we can track which areas need optimization.
In addition to web analysis, we may also use testing procedures to, for example, test and optimize different versions of our online offering or its components.
Unless otherwise stated below, profiles may be created for these purposes, i.e., data summarized for a usage process, and information stored in a browser or device and read from it. The information collected includes, in particular, visited web pages and elements used there, as well as technical information such as the browser used, the computer system used, and information about usage times. If users have consented to the collection of their location data by us or by the providers of the services we use, location data may also be processed.
The IP addresses of users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear data of users (such as email addresses or names) are stored as part of web analysis, A/B testing, and optimization, but pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.
Processed Data Types:
- Usage data (e.g., visited web pages, interest in content, access times)
- Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status)
Affected Individuals:
- Users (e.g., website visitors, users of online services)
- Purposes of Processing:
- Reach measurement (e.g., access statistics, recognition of recurring visitors)
- Profiles with user-related information (creation of user profiles)
Security Measures:
- IP masking (pseudonymization of IP addresses)
- Legal Basis:
- Legitimate interests (Art. 6 (1) (f) GDPR)
Additional Information on Processing Procedures, Methods, and Services:
Matomo (No Cookies):
Matomo is a privacy-friendly web analytics software that is used without cookies. The recognition of recurring users is achieved through a "digital fingerprint," which is stored anonymously and changed every 24 hours. In the "digital fingerprint," user movements within our online offering are recorded using pseudonymized IP addresses combined with user-side browser settings, ensuring that conclusions about the identity of individual users are not possible. The data collected from users through the use of Matomo is processed only by us and not shared with third parties. Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR). Website: https://matomo.org/.
Plugins and Embedded Functions as well as Content
We integrate functional and content elements into our online offering, which are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). This may include graphics, videos, or maps (hereinafter collectively referred to as "content").
The integration always requires that the third-party providers of this content process the IP address of the users, as they could not send the content to their browser without the IP address. The IP address is therefore necessary for the display of this content or functions. We strive to use only content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include technical information about the browser and operating system, referring websites, visit times, and other information about the use of our online offering, as well as be linked to such information from other sources.
Processed Data Types:
- Usage data (e.g., visited web pages, interest in content, access times)
- Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status)
- Inventory data (e.g., names, addresses)
- Contact details (e.g., email, telephone numbers)
- Content data (e.g., entries in online forms)
Affected Individuals:
- Users (e.g., website visitors, users of online services)
Purposes of Processing: Provision of our online offering and user-friendliness
Legal Basis: Consent (Art. 6 (1) (a) GDPR)
Additional Information on Processing Procedures, Methods, and Services:
YouTube Videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 (1) (a) GDPR); Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for displaying advertising: https://myadcenter.google.com/personalizationoff.