Privacy Policy GRID Website
Preamble
With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as "data") we process for which purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us on our websites as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").
The terms used are not gender-specific.
Last updated: April 4, 2025
Controller
HomeRun GmbH
Harvestehuder Weg 18
20148 Hamburg
Authorized Representatives: Daniel Grünthal, Philipp Illies
Email Address: hello@gridapp.ai
Overview of Processing Operations
The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.
Types of Data Processed
Inventory data
Payment data
Contact data
Content data
Contract data
Usage data
Meta, communication, and procedural data
Applicant data
Categories of Data Subjects
Customers
Employees
Interested parties
Communication partners
Users
Applicants
People depicted
Purposes of Processing
Provision of contractual services and customer service
Contact requests and communication
Security measures
Direct marketing
Reach measurement
Tracking
Office and organizational procedures
Conversion measurement
Target group formation
Management and response to inquiries
Job application process
Feedback
Marketing
Profiles with user-related information
Provision of our online offering and user experience
Information technology infrastructure
Relevant Legal Bases
Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the regulations of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Furthermore, should more specific legal bases be decisive in individual cases, we will inform you of these in the privacy policy.
Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
Performance of a Contract and Prior Requests (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Legitimate Interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Job Application Process as a Pre-Contractual or Contractual Relationship (Art. 6(1)(b) GDPR) - Insofar as special categories of personal data within the meaning of Art. 9(1) GDPR (e.g., health data, such as severely disabled status or ethnic origin) are requested from applicants during the application procedure, so that the controller or the data subject can exercise the rights arising from labor law and social security and social protection law and fulfill their respective obligations in this regard, their processing is carried out in accordance with Art. 9(2)(b) GDPR. In the case of the protection of vital interests of the applicants or other persons pursuant to Art. 9(2)(c) GDPR or for the purposes of preventive health care or occupational medicine, for the assessment of the employee's ability to work, for medical diagnostics, care or treatment in the health or social sector or for the administration of systems and services in the health or social sector in accordance with Art. 9(2)(h) GDPR. In the case of a voluntary disclosure of special categories of data based on consent, their processing is carried out on the basis of Art. 9(2)(a) GDPR.
In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. These include, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act - BDSG). The BDSG contains special provisions on the right to access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated individual decision-making, including profiling. Furthermore, it regulates data processing for the purposes of the employment relationship (§ 26 BDSG), in particular with regard to the establishment, implementation, or termination of employment relationships as well as the consent of employees. In addition, state data protection laws of the individual federal states may apply.
Security Measures
We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of the processing as well as the different likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access to, input, transmission, securing, and separation of the data. In addition, we have established procedures that ensure the exercise of data subjects' rights, the deletion of data, and responses to data compromise. Furthermore, we consider the protection of personal data already during the development or selection of hardware, software, and procedures in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.
IP Address Anonymization: Insofar as IP addresses are processed by us or by the service providers and technologies used, and the processing of a complete IP address is not necessary, the IP address is shortened (also referred to as "IP masking"). In this process, the last two digits or the last part of the IP address after a period are removed or replaced by wildcards. The shortening of the IP address is intended to prevent or significantly impede the identification of a person by their IP address.
TLS Encryption (https): To protect your data transmitted via our online offering, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.
Transfer of Personal Data
In the course of our processing of personal data, it may happen that the data is transferred to or disclosed to other entities, companies, legally independent organizational units, or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.
Data Processing in Third Countries
If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of using third-party services or disclosing or transferring data to other persons, entities, or companies, this will only be done in accordance with the legal requirements.
Subject to express consent or contractually or legally required transfer, we process or have the data processed only in third countries with a recognized level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, Information page of the EU Commission).
Deletion of Data
The data processed by us will be deleted in accordance with the legal requirements as soon as their permitted consents are revoked or other permissions expire (e.g., if the purpose of processing this data has ceased to apply or they are not necessary for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing is limited to these purposes. That is, the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.
Our data protection notices may also contain further information on the retention and deletion of data that take precedence for the respective processing operations.
Use of Cookies
Cookies are small text files or other storage notes that store information on end devices and read information from the end devices. For example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the contents accessed or functions used of an online offer. Cookies can also be used for various purposes, e.g., for purposes of functionality, security, and comfort of online offerings as well as the creation of analyses of visitor flows.
Notes on Consent: We use cookies in accordance with the legal regulations. Therefore, we obtain prior consent from users, except when it is not required by law. In particular, consent is not necessary if the storage and reading of information, including cookies, is strictly necessary to provide an information society service explicitly requested by the subscriber or user. The strictly necessary cookies typically include cookies with functions that are essential for the display and operability of the website, load balancing, security, storing preferences and choices of users, or similar purposes associated with providing the main and auxiliary functions of the website requested by users. The revocable consent is clearly communicated to the users and contains the information about the respective cookie use.
Notes on Data Protection Legal Bases: The legal basis under data protection law on which we process users' personal data using cookies depends on whether we ask users for consent. If users consent, the legal basis for processing their data is their declared consent. Otherwise, the data processed with the help of cookies is processed on the basis of our legitimate interests (e.g., in a business operation of our online offering and improvement of its usability) or, if this is done in the context of fulfilling our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. For what purposes the cookies are processed by us, we clarify in the course of this privacy policy or in the context of our consent and processing procedures.
Storage Duration: With regard to the storage duration, the following types of cookies are distinguished:
Temporary Cookies (also: Session or Session Cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their end device (e.g., browser or mobile application).
Permanent Cookies: Permanent cookies remain stored even after closing the end device. For example, the login status can be saved, or preferred content can be displayed directly when the user visits a website again. Likewise, the data collected with the help of cookies can be used for reach measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g., as part of obtaining consent), users should assume that cookies are permanent and that the storage period can be up to two years.
General Information on Revocation and Objection (Opt-Out): Users can revoke their consent at any time and also file an objection to the processing in accordance with the legal requirements in Art. 21 GDPR. Users can also declare their objection via their browser settings, e.g., by deactivating the use of cookies (although this may also limit the functionality of our online services). An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.
Types of Data Processed: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
Data Subjects: Users (e.g., website visitors, users of online services).
Purposes of Processing: Provision of our online offering and user-friendliness.
Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).
Further Information on Processing Processes, Procedures, and Services:
CookieYes: Cookie consent management; Service Provider: CookieYes Limited, 3 Warren Yard Warren Park, Wolverton Mill, Milton Keynes, MK12 5NW, United Kingdom; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.cookieyes.com; Privacy Policy: https://www.cookieyes.com/privacy-policy/; Data Processing Agreement: https://www.cookieyes.com/dpa/.
Provision of the Online Offering and Web Hosting
We process the data of users to enable us to provide our online services to them. For this purpose, we process the IP address of the user, which is necessary for us to transmit the content and functions of our online services to the browser or the device of the user.
Processed data types: Usage data (e.g., visited websites, interest in content, access times); Meta, communication and procedural data (e.g., IP addresses, time stamps, identification numbers, status of consent).
Data subjects: Users (e.g., website visitors, users of online services).
Purposes of processing: Provision of our online offering and user experience; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers etc.).); Security measures.
Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR).
Further notes on processing processes, procedures and services:
Provision of online offering on rented storage space: For the provision of our online offering, we use storage space, computing power and software that we rent from a corresponding service provider (also referred to as "web hoster"). Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR).
Collection of access data and log files: Access to our online offering is recorded in the form of so-called "server log files". To these server log files belong the address and name of the accessed websites and files, the date and time of access, the transmitted data volumes, a message about successful access, the browser type and version, the operating system of the user, the referrer URL (the previously visited page) and, in general, IP addresses and the provider requesting access. The server log files can be used for security purposes, e.g., to prevent server overloads (especially in the case of malicious attacks, so-called DDoS attacks) and to ensure the stability and load of the servers. Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR); Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data, whose further storage is required for the purpose of proof, are excluded from deletion until the final clarification of the respective case.
Content Delivery Network: We use a "Content Delivery Network" (CDN). A CDN is a service that allows content of an online offering, especially large media files such as graphics or script files, to be delivered faster and more securely through regional and connected servers over the internet. Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR).
Framer: Hosting and software for creating, providing and operating websites, blogs and other online offerings; Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR); Data processing agreement: https://www.framer.com/legal/data-processing-addendum/; Service provider: Framer B.V., Singel 258, 1016 AB, Amsterdam, The Netherlands; Website: https://www.framer.com; Data protection notice: https://www.framer.com/legal/privacy-statement/.
Purchase of Applications via App Stores
The purchase of our application is made through special online platforms operated by other service providers, at (so-called "app stores"). In this context, in addition to our data protection notices, we refer to the data protection notices of the respective app stores. This applies in particular with regard to the methods used for reach measurement and targeted marketing as well as any associated costs.
Processed data types: Inventory data (e.g., names, addresses); payment data (e.g., bank connections, invoices, payment history); contact data (e.g., email, telephone numbers); contract data (e.g., subject of the contract, duration, customer category); usage data (e.g., visited websites, interest in content, access times); meta, communication and procedural data (e.g., IP addresses, time stamps, identification numbers, status of consent); content data (e.g., input in online forms).
Data subjects: Customers; Users (e.g., website visitors, users of online services).
Purposes of processing: Provision of contractual services and customer service; Marketing.
Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR).
Further notes on processing processes, procedures and services:
Apple App Store: App and software sales platform; Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR); Website: https://www.apple.com/de/ios/app-store/; Data protection notice: https://www.apple.com/legal/privacy/de-ww/.
Google Play: App and software sales platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR); Website: https://play.google.com/store/apps?hl=de; Data protection notice: https://policies.google.com/privacy.
Contact and Inquiry Management
When contacting us (e.g., by post, contact form, email, telephone or via social media) as well as in the context of existing user and business relationships, we process the data of the persons making the request to the extent necessary for answering the contact requests and any requested measures.
Processed data types: Contact data (e.g., email, telephone numbers); content data (e.g., input in online forms); usage data (e.g., visited websites, interest in content, access times); meta, communication and procedural data (e.g., IP addresses, time stamps, identification numbers, status of consent).
Data subjects: Communication partners; Users (e.g., website visitors, users of online services); People depicted.
Purposes of processing: Contact requests and communication; Management and response to inquiries; Feedback (e.g., collecting feedback via online form); Provision of our online offering and user experience; Office and organizational procedures.
Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR); Contractual performance and pre-contractual inquiries (Art. 6 Abs. 1 S. 1 lit. b) GDPR).
Further notes on processing processes, procedures and services:
Contact form: If users contact us via our contact form, email or other communication channels, we process the data we receive in this context for the purpose of processing the received request; Legal bases: Contractual performance and pre-contractual inquiries (Art. 6 Abs. 1 S. 1 lit. b) GDPR), Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR).
Typeform: Creation of forms and surveys and management of participant contributions; Service provider: TYPEFORM SL, Carrer Bac de Roda, 163, local, 08018 - Barcelona, Spain; Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR); Website: https://www.typeform.com/; Data protection notice: https://admin.typeform.com/to/dwk6gt/.
calendly: Online appointment scheduling and appointment management; Service provider: Calendly LLC., 271 17th St NW, Ste 1000, Atlanta, Georgia, 30363, USA; Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR); Website: https://calendly.com/de; Data protection notice: https://calendly.com/pages/privacy; Data processing agreement: https://calendly.com/dpa; Standard contractual clauses (guaranteeing data protection level in third countries): https://calendly.com/dpa.
Video Conferences, Online Meetings, Webinars, and Screen Sharing
We use platforms and applications of other providers (hereinafter referred to as "conferencing platforms") for the purpose of conducting video and audio conferences, webinars and other forms of video and audio meetings (hereinafter collectively referred to as "conferences"). When selecting the conferencing platforms and their services, we take into account the legal requirements.
Data processed by conferencing platforms: In the context of participating in a conference, the conferencing platforms process the following personal data of participants:
Person (first name, last name)
Contact information (email address, telephone number)
Access data (access codes or passwords)
Profile pictures
Information about professional position/function
Technical details about the internet connection, including IP address
Information about the devices of the participants, their operating system, the browser and its technical and language settings
Information about the content of communication, i.e., input in chats and audio and video data
Use of other functions available on the platform (e.g., surveys)
The content of the communications is encrypted in the range provided by the conferencing platform. If participants are registered as users on the conferencing platforms, additional data can be processed in accordance with the agreement with the respective conferencing platform.
Protokollierung und Aufnahmen: Falls Texteingaben, Teilnahmeergebnisse (z.B. von Umfragen) sowie Video- oder Audioaufnahmen protokolliert werden, wird dies den Teilnehmern im Vorwege transparent mitgeteilt und sie werden – soweit erforderlich – um eine Zustimmung gebeten.
Datenschutzmaßnahmen der Teilnehmer: Bitte beachten Sie zu den Details der Verarbeitung Ihrer Daten durch die Konferenzplattformen deren Datenschutzhinweise und wählen im Rahmen der Einstellungen der Konferenzplattformen, die für Sie optimalen Sicherheits- und Datenschutzeinstellungen. Bitte sorgen Sie ferner für die Dauer einer Videokonferenz für den Daten- und Persönlichkeitsschutz im Hintergrund Ihrer Aufnahme (z.B. durch Hinweise an Mitbewohner, Abschließen von Türen und Nutzung, soweit technisch möglich, der Funktion zur Unkenntlichmachung des Hintergrunds). Links zu den Konferenzräumen sowie Zugangsdaten, dürfen nicht an unberechtigte Dritte weitergegeben werden.
Hinweise zu Rechtsgrundlagen: Sofern neben den Konferenzplattformen auch wir die Daten der Nutzer verarbeiten und die Nutzer um deren Einwilligung in den Einsatz der Konferenzplattformen oder bestimmter Funktionen bitten (z. B. Einverständnis mit einer Aufzeichnung von Konferenzen), ist die Rechtsgrundlage der Verarbeitung diese Einwilligung. Ferner kann unsere Verarbeitung zur Erfüllung unserer vertraglichen Pflichten erforderlich sein (z.B. in Teilnehmerlisten, im Fall von Aufarbeitung von Gesprächsergebnissen, etc.). Im Übrigen werden die Daten der Nutzer auf Grundlage unserer berechtigten Interessen an einer effizienten und sicheren Kommunikation mit unseren Kommunikationspartnern verarbeitet.
Verarbeitete Datenarten: Bestandsdaten (z.B. Namen, Adressen); Kontaktdaten (z.B. E-Mail, Telefonnummern); Inhaltsdaten (z.B. Eingaben in Onlineformularen); Nutzungsdaten (z.B. besuchte Webseiten, Interesse an Inhalten, Zugriffszeiten); Meta-, Kommunikations- und Verfahrensdaten (z. B. IP-Adressen, Zeitangaben, Identifikationsnummern, Einwilligungsstatus).
Betroffene Personen: Kommunikationspartner; Nutzer (z.B. Webseitenbesucher, Nutzer von Onlinediensten); Abgebildete Personen.
Zwecke der Verarbeitung: Erbringung vertraglicher Leistungen und Kundenservice; Kontaktanfragen und Kommunikation; Büro- und Organisationsverfahren.
Rechtsgrundlagen: Berechtigte Interessen (Art. 6 Abs. 1 S. 1 lit. f) GDPR).
Job Application Process
The job application process requires applicants to provide us with the data necessary for their assessment and selection. The information required depends on the job posting or, in the case of online forms, on the information provided there.
Generally, the following information is required about the person: name, address, a means of contact and proof of qualifications necessary for a position. We also like to provide information about the requirements.
If provided, applicants can submit their job applications via an online form. The data are transmitted to us encrypted according to the state of the art. Applicants can also submit their job applications via email. We ask, however, that you pay attention to the fact that emails are generally not encrypted when sent over the internet. In general, emails are encrypted on the transport path, but not on the servers from which they are sent and received. We cannot therefore assume responsibility for the transmission path between the sender and the recipient on our server.
For the purposes of job searching, submitting job applications and selecting applicants, we can use, under the conditions of the legal requirements, job applicant management software and platforms and services of third-party providers.
Applicants can contact us or send their job applications by post.
Verarbeitung besonderer Kategorien von Daten: Soweit im Rahmen des Bewerbungsverfahrens besondere Kategorien von personenbezogenen Daten im Sinne des Art. 9 Abs. 1 GDPR (z.B. Gesundheitsdaten, wie z.B. Schwerbehinderteneigenschaft oder ethnische Herkunft) bei Bewerbern angefragt werden, damit der Verantwortliche oder die betroffene Person die ihm bzw. ihr aus dem Arbeitsrecht und dem Recht der sozialen Sicherheit und des Sozialschutzes erwachsenden Rechte ausüben und seinen bzw. ihren diesbezüglichen Pflichten nachkommen kann, erfolgt deren Verarbeitung nach Art. 9 Abs. 2 lit. b. GDPR, im Fall des Schutzes lebenswichtiger Interessen der Bewerber oder anderer Personen gem. Art. 9 Abs. 2 lit. c. GDPR oder für Zwecke der Gesundheitsvorsorge oder der Arbeitsmedizin, für die Beurteilung der Arbeitsfähigkeit des Beschäftigten, für die medizinische Diagnostik, für die Versorgung oder Behandlung im Gesundheits- oder Sozialbereich oder für die Verwaltung von Systemen und Diensten im Gesundheits- oder Sozialbereich gem. Art. 9 Abs. 2 lit. h. GDPR. Im Fall einer auf freiwilliger Einwilligung beruhenden Mitteilung der besonderen Kategorien von Daten erfolgt deren Verarbeitung auf Grundlage von Art. 9 Abs. 2 lit. a. GDPR.
Löschung von Daten: Die von den Bewerbern zur Verfügung gestellten Daten können im Fall einer erfolgreichen Bewerbung für die Zwecke des Beschäftigungsverhältnisses von uns weiterverarbeitet werden. Andernfalls, sofern die Bewerbung auf ein Stellenangebot nicht erfolgreich ist, werden die Daten der Bewerber gelöscht. Die Daten der Bewerber werden ebenfalls gelöscht, wenn eine Bewerbung zurückgezogen wird, wozu die Bewerber jederzeit berechtigt sind. Die Löschung erfolgt, vorbehaltlich eines berechtigten Widerrufs der Bewerber, spätestens nach dem Ablauf eines Zeitraums von sechs Monaten, damit wir etwaige Anschlussfragen zu der Bewerbung beantworten und unseren Nachweispflichten aus den Vorschriften zur Gleichbehandlung von Bewerbern nachkommen können. Rechnungen über etwaige Reisekostenerstattung werden entsprechend den steuerrechtlichen Vorgaben archiviert.
Aufnahme in einen Bewerberpool: Die Aufnahme in einen Bewerber-Pool, sofern angeboten, erfolgt auf Grundlage einer Einwilligung. Die Bewerber werden darüber belehrt, dass ihre Zustimmung zur Aufnahme in den Talentpool freiwillig ist, keinen Einfluss auf das laufende Bewerbungsverfahren hat und sie ihre Einwilligung jederzeit für die Zukunft widerrufen können.
Verarbeitete Datenarten: Bestandsdaten (z.B. Namen, Adressen); Kontaktdaten (z.B. E-Mail, Telefonnummern); Inhaltsdaten (z.B. Eingaben in Onlineformularen); Bewerberdaten (z.B. Angaben zur Person, Post- und Kontaktadressen, die zur Bewerbung gehörenden Unterlagen und die darin enthaltenen Informationen, wie z.B. Anschreiben, Lebenslauf, Zeugnisse sowie weitere im Hinblick auf eine konkrete Stelle oder freiwillig von Bewerbern mitgeteilte Informationen zu deren Person oder Qualifikation).
Betroffene Personen: Bewerber.
Zwecke der Verarbeitung: Bewerbungsverfahren (Begründung und etwaige spätere Durchführung sowie mögliche spätere Beendigung des Beschäftigungsverhältnisses).
Rechtsgrundlagen: Bewerbungsverfahren als vorvertragliches bzw. vertragliches Verhältnis (Art. 6 Abs. 1 lit. b) GDPR).
Cloud Services
We use cloud services that are accessible over the internet and provided by the service providers of these cloud services (so-called "cloud services", also referred to as "software as a service") for storage and management of content (e.g., document storage and management, exchange of documents, sharing of content and information with certain recipients or publication of content and information).
In this context, personal data can be processed and stored on the servers of the service providers, provided that this is part of communication with us or, as set out in this data protection notice, processed by us. These data may include, in particular, master data and contact data of users, data relating to processes, contracts, other processes and their content. The service providers of the cloud services process further usage data and metadata, which are used for security purposes and for service optimization.
If we provide forms for other users or publicly accessible websites for the purpose of providing content and information, the service providers of the cloud services may store cookies on the devices of the users for the purpose of web analysis or, to remember user settings (e.g., in the case of media management), to store information.
Processed data types: Inventory data (e.g., names, addresses); contact data (e.g., email, telephone numbers); content data (e.g., input in online forms); usage data (e.g., visited websites, interest in content, access times); meta, communication and procedural data (e.g., IP addresses, time stamps, identification numbers, status of consent).
Data subjects: Customers; Employees (e.g., employees, applicants, former employees); Interested parties; Communication partners; Users (e.g., website visitors, users of online services).
Purposes of processing: Office and organizational procedures; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers etc.).).
Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR).
Further notes on processing processes, procedures and services:
Google Workspace: Cloud-based application software (e.g., text and spreadsheet processing, appointment and contact management), cloud storage and cloud infrastructure services; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR); Website: https://workspace.google.com/; Data protection notice: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum; Standard contractual clauses (guaranteeing data protection level in third countries): https://cloud.google.com/terms/eu-model-contract-clause; Further information: https://cloud.google.com/privacy.
Newsletters and Electronic Notifications
We send newsletters, emails and other electronic notifications (hereinafter "newsletters") only with the consent of the recipients or with a statutory permission. If, within the framework of a registration for a newsletter, the content of the newsletter is explicitly described, it is decisive for the consent of the users. Otherwise, our newsletters contain information about our services and us.
To register for our newsletters, it is generally sufficient if you provide us with your email address. We may ask you to provide a name, for personal salutation in the newsletter, or further information, if this is necessary for the purposes of the newsletter.
Double-Opt-In-Procedure: The registration for our newsletter is generally carried out in a so-called double-opt-in procedure. This means that you will receive an email after registration, in which you will be asked to confirm your registration. This confirmation is necessary so that no one can register with foreign email addresses. The registrations for the newsletter are recorded to enable us to verify the registration process in accordance with the legal requirements. This includes the storage of the registration date and the time of confirmation as well as the IP address. In addition, changes to the data stored with the newsletter service provider are recorded.
Deletion and restriction of processing: We can store the unsubscribed email addresses for up to three years on the basis of our legitimate interests before we delete them in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of defending against claims. An individual deletion request is possible at any time, provided that the previously existing existence of consent is confirmed at the same time. In the case of a duty to maintain a permanent observance of objections, we reserve the storage of the email address for this purpose in a blacklist (so-called "block list").
The recording of the registration process is based on our legitimate interests for the purpose of proving the orderly execution of the process. Where we commission a service provider for the dispatch of emails, this is based on our legitimate interests in an efficient and secure dispatch system.
Content:
Information about us, our services, actions and offers.
Processed data types: Inventory data (e.g., names, addresses); contact data (e.g., email, telephone numbers); meta, communication and procedural data (e.g., IP addresses, time stamps, identification numbers, status of consent); usage data (e.g., visited websites, interest in content, access times).
Data subjects: Communication partners.
Purposes of processing: Direct marketing (e.g., by email or postal mail); Reach measurement (e.g., access statistics, recognition of repeat visitors).
Legal bases: Consent (Art. 6 Abs. 1 S. 1 lit. a) GDPR).
Right of objection (Opt-Out): You can unsubscribe from our newsletters at any time, i.e., revoke your consent or object to further receipt. You can find a link to unsubscribe from the newsletter either at the end of each newsletter or you can use one of the contact options mentioned above to do so.
Further notes on processing processes, procedures and services:
Measurement of opening and click rates: The newsletters contain a so-called "web beacon", i.e., a pixel-sized file that is retrieved from our server when you open the newsletter, or, if we use a dispatch service provider, from the server of the dispatch service provider. In the context of this retrieval, technical information, such as information about your browser and your system, as well as your IP address and the time of retrieval, are collected. These data are used for technical improvement of our newsletters based on the technical data or the target groups and their reading habits on the basis of their access frequency (which can be determined with the help of the IP address) or access times. This analysis also includes determining whether the newsletters are opened, when they are opened and which links are clicked. These data are assigned to the individual newsletter recipients and stored in their profiles up to their deletion. The evaluations serve us to determine the reading habits of our users and to adapt our content to their interests or to send different content to them in accordance with their interests. The measurement of the opening rates and the click rates as well as the storage of the measurement results in the profiles of the users and their further processing are based on the consent of the users. A separate revocation of the success measurement is unfortunately not possible, in this case the entire newsletter subscription must be canceled, or it must be objected to. In this case, the stored profile information is deleted; Legal bases: Consent (Art. 6 Abs. 1 S. 1 lit. a) GDPR).
SendinBlue: Email marketing platform; Service provider: SendinBlue SAS, 55, rue d'Amsterdam, 75008 Paris, France; Legal bases: Consent (Art. 6 Abs. 1 S. 1 lit. a) GDPR); Website: https://de.sendinblue.com/; Data protection notice: https://www.sendinblue.com/legal/privacypolicy/; Data processing agreement: Provided by the service provider.
Web Analysis, Monitoring, and Optimization
Web analysis (also referred to as "reach measurement") serves to evaluate the visitor flows of our online offering and can include behavioral, interest or demographic information about the visitors, such as their age or gender, as pseudonymous values. With the help of reach measurement, we can, for example, determine when our online offering or its functions or content are used most frequently or when we invite to reuse. Likewise, we can follow up on which areas require optimization.
In addition to web analysis, we can also use test methods to test different versions of our online offering or its components and optimize them.
Unless otherwise specified, profiles, i.e., data aggregated for a usage process, can be created and information can be stored and read from a browser, or from a device, and can be used for these purposes. The collected information generally includes visited websites and elements used on these websites as well as technical information, such as the browser used, the operating system used and information about usage times. If users have given us consent to process their location data with us or with the providers of the services we use, these can also be processed.
IP addresses of users are also stored. However, we use an IP masking method (i.e., pseudonymization by shortening the IP address) for the protection of the users. Generally, no personal data of users (e.g., email addresses or names) are stored in the context of web analysis, A/B testing and optimization, but pseudonyms. This means that we and the providers of the software we use do not know the actual identity of the users, but only the information stored in the profiles of the users for the purposes of the respective processes.
Processed data types: Usage data (e.g., visited websites, interest in content, access times); meta, communication and procedural data (e.g., IP addresses, time stamps, identification numbers, status of consent).
Data subjects: Users (e.g., website visitors, users of online services).
Purposes of processing: Reach measurement (e.g., access statistics, recognition of repeat visitors); Tracking (e.g., interest-/behavior-based profiling, use of cookies); Provision of our online offering and user experience; Conversion measurement (measurement of the effectiveness of marketing measures); Target group formation.
Security measures: IP masking (pseudonymization of the IP address).
Legal bases: Consent (Art. 6 Abs. 1 S. 1 lit. a) GDPR).
Further notes on processing processes, procedures and services:
Google Analytics: Web analysis, reach measurement and measurement of user flows; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6 Abs. 1 S. 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Data protection notice: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms; Standard contractual clauses (guaranteeing data protection level in third countries): https://business.safety.google/adsprocessorterms; Right of objection (Opt-Out): Opt-Out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying advertising: https://adssettings.google.com/authenticated; Further information: https://privacy.google.com/businesses/adsservices (types of processing and processed data).
Online Marketing
We process personal data for the purpose of online marketing, which includes, in particular, the marketing of advertising spaces or the presentation of advertising and other content (hereinafter collectively referred to as "content") based on the potential interests of the users and the measurement of their effectiveness.
For these purposes, so-called user profiles are created and stored in a file (so-called "cookie") or similar methods are used, through which the relevant information about the user is stored. These data may include, for example, viewed content, visited websites, used online networks, but also communication partners and technical information, such as the browser used, the operating system used and information about usage times and used functions. If users have given us consent to process their location data, these can also be processed.
IP addresses of users are also stored. However, we use IP masking methods (i.e., pseudonymization by shortening the IP address) for the protection of the users. Generally, no personal data of users (e.g., email addresses or names) are stored in the context of online marketing, but pseudonyms. This means that we and the providers of the online marketing methods do not know the actual identity of the users, but only the information stored in the profiles of the users.
The information in the profiles is generally stored in cookies or by similar methods. These cookies can later also be used on other websites that use the same online marketing method, read out and analyzed for the purpose of presenting content as well as supplemented with further data and stored on the server of the online marketing method provider.
In exceptional cases, personal data may be assigned to profiles. This is the case if, for example, users are members of a social network whose online marketing method we use and the network connects the profiles of the users with the aforementioned information. We ask you to note that users may have additional agreements with the providers, for example through consent within the framework of registration.
We generally only have access to aggregated information about the success of our advertisements. However, we can check, within the framework of so-called conversion measurements, whether our online marketing methods have led to a so-called conversion, i.e., to a contract with us. The conversion measurement is used solely for the analysis of the success of our marketing measures.
Unless otherwise specified, we ask you to assume that cookies are stored for a period of two years.
Processed data types: Usage data (e.g., visited websites, interest in content, access times); meta, communication and procedural data (e.g., IP addresses, time stamps, identification numbers, status of consent).
Data subjects: Users (e.g., website visitors, users of online services).
Purposes of processing: Reach measurement (e.g., access statistics, recognition of repeat visitors); Tracking (e.g., interest-/behavior-based profiling, use of cookies); Marketing; Profiles with user-related information (creation of user profiles); Provision of our online offering and user experience; Conversion measurement (measurement of the effectiveness of marketing measures); Target group formation.
Security measures: IP masking (pseudonymization of the IP address).
Legal bases: Consent (Art. 6 Abs. 1 S. 1 lit. a) GDPR).
Right of objection (Opt-Out): We refer to the data protection notices of the respective providers and the opt-out options provided by these providers (so-called "Opt-Out"). If no explicit opt-out option is provided, users have the possibility, on the one hand, to disable cookies in the settings of their browser. This may, however, restrict the functionality of our online offering. We therefore recommend the following opt-out options, which are offered in summary for the respective areas: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-border: https://optout.aboutads.info.
Further notes on processing processes, procedures and services:
Facebook Ads: Placement of ads within the Facebook platform and evaluation of ad results; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR); Website: https://www.facebook.com; Data protection notice: https://www.facebook.com/about/privacy; Right of objection (Opt-Out): We refer to the data protection - and advertising settings in the user profile on the Facebook platform as well as to the opt-out options within the framework of Facebook's consent process and Facebook's contact options for fulfilling requests and other rights of data subjects in Facebook's data protection notice; Further information: Event data of users, i.e., behavioral and interest information, are processed for the purposes of targeted advertising and target group formation on the basis of the agreement on joint responsibility ("Additional for controllers", https://www.facebook.com/legal/controller_addendum) for Meta Platforms Ireland Limited, a company with its registered office in the EU. The further processing of the data lies in the sole responsibility of Meta Platforms Ireland Limited, which also concerns the transmission of the data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
Google Ad Manager: We use the "Google Marketing Platform" (and services such as "Google Ad Manager") to place ads in the Google advertising network (e.g., in search results, in videos, on websites, etc.). The Google Marketing Platform is characterized by the fact that ads are displayed in real time based on presumed interests of users. This allows us to display ads for and within our online offering more specifically to users, to present them with ads only that potentially meet their interests. If a user is shown ads for products for which he or she has already expressed interest on another online offering, this is referred to as "remarketing"; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR); Website: https://marketingplatform.google.com; Data protection notice: https://policies.google.com/privacy; Further information: Types of processing and processed data: https://privacy.google.com/businesses/adsservices; Data processing conditions for Google advertising products: Information about the services provided Data processing conditions between controllers and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms; if Google acts as a processor, data processing conditions for Google advertising products and standard contractual clauses for data transfers to third countries: https://business.safety.google/adsprocessorterms.
Presence on Social Networks (Social Media)
We maintain online presences within social networks and process data of users within this context in order to communicate with the users there or to provide information about us.
We point out that data of users may be processed outside the area of the European Union. This may result in risks for the users, because, for example, the enforcement of the rights of users may be hindered.
Furthermore, data of users are generally processed for market research and advertising purposes within social networks. For example, based on the usage behavior and the interests of the users, user usage profiles can be created. These usage profiles can then be used to, for example, switch ads within and outside the networks that potentially meet the interests of the users. For these purposes, cookies are generally stored on the computers of the users, in which the usage behavior and the interests of the users are stored. Furthermore, data can be stored in the user profiles independently of the devices used by the users (in particular, if the users are members of the respective platforms and are logged in at these platforms).
For a detailed description of the respective forms of processing and the possibilities of objection (Opt-Out), we refer to the data protection notices and information provided by the operators of the respective networks.
In the case of requests for information and asserting rights of data subjects, we also point out that these are most effectively made with the providers. Only the providers have access to the data of the users and can take appropriate measures and provide information directly. If you still need help, you can contact us.
Processed data types: Contact data (e.g., email, telephone numbers); content data (e.g., input in online forms); usage data (e.g., visited websites, interest in content, access times); meta, communication and procedural data (e.g., IP addresses, time stamps, identification numbers, status of consent).
Data subjects: Users (e.g., website visitors, users of online services).
Purposes of processing: Contact requests and communication; Feedback (e.g., collecting feedback via online form); Marketing.
Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR).
Further notes on processing processes, procedures and services:
Facebook Pages: Profiles within the social network Facebook - We are jointly responsible for the collection (but not further processing) of data from visitors to our Facebook page (so-called "fanpage"). These data include information about the types of content that users view or interact with, or the actions they have taken (see under "Things done by you and others" in the Facebook data policy: https://www.facebook.com/policy), as well as information about the devices used by the users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see under "Device information" in the Facebook data policy: https://www.facebook.com/policy). As explained in the Facebook data policy under "How do we use this information?", Facebook also collects and uses information to provide analysis services, so-called "Page Insights", for page administrators, so that these can obtain information about how people interact with their pages and with the content associated with them. We have concluded a special agreement with Facebook ("Information about Page Insights", https://www.facebook.com/legal/terms/page_controller_addendum), in which, in particular, it is regulated how much security measures Facebook must take and how Facebook has agreed to fulfill the rights of data subjects (i.e., users can, for example, request information or delete requests directly from Facebook). The rights of users (in particular, the right to information, deletion, objection and complaint to the supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the "Information about Page Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR); Website: https://www.facebook.com; Data protection notice: https://www.facebook.com/about/privacy; Standard contractual clauses (guaranteeing data protection level in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum; Further information: Agreement on joint responsibility: https://www.facebook.com/legal/terms/information_about_page_insights_data. The joint responsibility applies to the collection by and transmission of data to Meta Platforms Ireland Limited, a company with its registered office in the EU. The further processing of the data lies in the sole responsibility of Meta Platforms Ireland Limited, which also concerns the transmission of the data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
LinkedIn: Social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR); Website: https://www.linkedin.com; Data protection notice: https://www.linkedin.com/legal/privacy-policy; Data processing agreement: https://legal.linkedin.com/dpa; Standard contractual clauses (guaranteeing data protection level in third countries): https://legal.linkedin.com/dpa; Right of objection (Opt-Out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Plugins and Embedded Functions and Content
We integrate functions and content elements into our online offering that are provided by the servers of their respective providers (hereinafter referred to as "third-party providers"). These may be, for example, graphics, videos or city maps (hereinafter collectively referred to as "content").
The integration always presupposes that the third-party providers of this content process the IP address of the users, because without the IP address they could not send the content to the users' browsers. The IP address is therefore necessary for the display of this content or the functions. We strive to use only such content that the respective providers of the content use the IP address solely for the purpose of delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. Through the "pixel tags", information about the visitor traffic on the pages of this website can be evaluated. The pseudonymous information can also be stored in cookies on the user's device and contain technical information about the browser and the operating system, about the referring websites, about the time of the visit as well as further information about the use of our online offering. These data can also be connected with data from other sources.
Processed data types: Usage data (e.g., visited websites, interest in content, access times); meta, communication and procedural data (e.g., IP addresses, time stamps, identification numbers, status of consent).
Data subjects: Users (e.g., website visitors, users of online services).
Purposes of processing: Provision of our online offering and user experience.
Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR).
Further notes on processing processes, procedures and services:
Google Fonts (from Google server): Use of fonts (and symbols) for the purpose of a technically secure, maintenance-free and efficient use of fonts and symbols in view of currentness and loading times, their uniform presentation and consideration of possible licensing restrictions. The provider of the font styles is informed of the IP address of the user, so that the font styles can be provided to the user's browser. In addition, technical data (language settings, screen resolution, operating system, used hardware) are transmitted, which are necessary for the provision of the fonts in relation to the devices used and the technical environment. These data can be processed on a server of the provider of the font styles in the USA - When visiting our online offering, the browsers of the users send HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving the font styles). The Google Fonts Web API provides the users with the Cascading Style Sheets (CSS) of Google Fonts and then the fonts specified in the CCS. To these HTTP requests belong (1) the IP address of the user used for accessing the internet, (2) the URL requested on the Google server and (3) the HTTP headers, including the User-Agent, which describes the browser and operating system versions of the website visitors, as well as the referrer URL (i.e., the website, on which the Google font is to be displayed). IP addresses are neither recorded on Google servers nor stored and they are not analyzed. The Google Fonts Web API records details of the HTTP requests (requested URL, User-Agent and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families that the user wants to load. These data are recorded so that Google can determine how often a particular font family is requested. At the Google Fonts Web API, the User-Agent must adjust the font style to the font style generated for the respective browser type. The User-Agent is primarily recorded for debugging purposes and used to generate aggregated usage statistics, with which the popularity of font families is measured. These aggregated usage statistics are published on the "Analyses" page of Google Fonts. Finally, the referrer URL is recorded so that the data can be used for maintenance of the production and a consolidated report on the top integrations based on the number of font style requests can be generated. Google does not use any of the information collected by Google Fonts to create profiles of end users or to target ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR); Website: https://fonts.google.com/; Data protection notice: https://policies.google.com/privacy; Further information: https://developers.google.com/fonts/faq/privacy?hl=de.
Changes and Updates to the Privacy Policy
We ask you to inform yourself regularly about the content of our privacy policy. We adapt the privacy policy whenever the changes in the data processing carried out by us make this necessary. We inform you whenever a contribution from your side (e.g., consent) or any other individual notification becomes necessary.
If we provide addresses and contact information of companies and organizations in this privacy policy, we ask you to note that the addresses may change over time and ask you to check the information before contacting us.
Rights of Data Subjects
As a data subject, you have various rights under the GDPR, which result in particular from Articles 15 to 21 GDPR:
Right of objection: You have the right to object, for reasons arising from your particular situation, at any time against the processing of personal data concerning you on the basis of Art. 6 Abs. 1 lit. e or f GDPR. This also applies to profiling based on these provisions. If personal data is processed for direct marketing purposes, you have the right to object at any time against the processing of personal data concerning you for such advertising purposes; this also applies to profiling, to the extent that it is associated with such direct marketing.
Right of withdrawal of consent: You have the right to withdraw consent at any time.
Right of access: You have the right to request confirmation as to whether personal data concerning you are being processed and to obtain information about this data as well as further information and a copy of the data in accordance with the legal requirements.
Right to rectification: You have the right, in accordance with the legal requirements, to request the completion of the personal data concerning you or the correction of incorrect personal data.
Right to deletion and restriction of processing: You have the right, in accordance with the legal requirements, to request that personal data concerning you be deleted immediately, or alternatively, to request a restriction of processing of the data.
Right to data portability: You have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format or to request the transmission of this data to another controller.
Right of complaint to a supervisory authority: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual place of residence, your place of work or the place where the alleged infringement took place, if you believe that the processing of personal data concerning you is in breach of the GDPR.