Privacy.

Privacy Policy

Data protection is of particular importance to the management of Fashion Cloud GmbH. The use of the websites of Fashion Cloud GmbH is generally possible without providing any personal data. However, if a data subject wishes to use special services of our company via our website, the processing of personal data may become necessary. If the processing of personal data is required and no legal basis exists for such processing, we generally obtain the consent of the data subject. The processing of personal data, such as the name, address, email address, or phone number of a data subject, is always carried out in accordance with the General Data Protection Regulation (GDPR) and in compliance with the applicable national data protection regulations for Fashion Cloud GmbH.

With this privacy policy, we would like to inform the public about the nature, scope, and purpose of the personal data we collect, use, and process. Furthermore, this privacy policy will inform data subjects about their rights. Fashion Cloud GmbH, as the data controller, has implemented numerous technical and organizational measures to ensure the highest possible level of protection for the personal data processed through this website. Nevertheless, internet-based data transmissions may have security gaps, so absolute protection cannot be guaranteed. For this reason, it is open to any data subject to transmit personal data to us by alternative means, such as by phone.

This privacy policy focuses on the use case of the website as well as the web platform and the general storage of data. Detailed information regarding the processing of applicant data can be found under the section "Applicants".

Last Update: 12. December 2025, in collaboration with Jurando GmbH.

01 – Definitions:

The data protection declaration of the Fashion Cloud GmbH is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our data protection declaration should be legible and understandable for the general public, as well as our customers and business partners. To ensure this, we would like to first explain the terminology used.

In this data protection declaration, we use, inter alia, the following terms:

02 – Name and Address of the Controller:

The controller in the sense of the General Data Protection Regulation, other applicable data protection laws in the member states of the European Union, and other provisions with data protection-related character is:

03 – Name and Address of the Data Protection Officer:

The Data Protection Officer of the data controller is (external service provider):

Jurando GmbH
Dr. Dennis Werner
Rathausplatz 21
58507 Lüdenscheid

Phone: +49 (0)2351 668 543 7
Email: info@jurando.de

Any data subject can contact our data protection officer directly at any time with any questions or suggestions regarding data protection.

04 – Website Visits: Online Services/Hosting

We process the data of users in order to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the content and functions of our online offer to the browser or device of the user. 

– Processed Data Types: Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, participants). Content data (e.g., text or image messages and posts along with associated information such as authorship or creation time).
– Affected Persons: Users (e.g., website visitors, users of online services). Business and contractual partners.
– Purposes of Processing: Provision of our online services and usability; Information technology infrastructure (operation and provision of information systems and technical devices, such as computers, servers, etc.); security measures; content delivery network (CDN). Office and organizational processes.
– Storage and Deletion: Deletion in accordance with the information in the section "General Information on the Retention and Deletion of Data."
– Legal Basis: Legitimate interests Art. 6(1)(f) GDPR.

‍– For the operation of our website, we use services for technical provision, hosting, content delivery, and IT security: These include server and infrastructure services, storage and database services, security applications, and content delivery technologies. These services are necessary to ensure that we can provide our website reliably, stably, and securely. The service providers used for this purpose process personal data solely on our behalf and in accordance with our instructions. We have concluded data processing agreements with all service providers in accordance with Art. 28 GDPR, which ensure the security and confidentiality of the data.
‍
– Provision of Online Offer on Rented Storage: For the provision of our online offer, we use storage space, computing capacity, and software that we rent or otherwise acquire from a server provider (also called "web host"). Legal basis: Legitimate interests Art. 6(1)(f) GDPR.
‍
– Collection of Access Data and Logfiles: Access to our online offer is logged in the form of "server logfiles." The server logfiles include the address and name of the retrieved webpages and files, date and time of retrieval, transmitted data volume, message about successful retrieval, browser type and version, the user’s operating system, referring URL (the previously visited page), and usually the IP address and requesting provider. The server logfiles may be used for security purposes, such as to prevent server overload (especially in the case of abusive attacks, such as DDoS attacks) and to ensure the stability and optimal load balancing of the servers; Legal basis: Legitimate interests Art. 6(1)(f) GDPR. Retention period: Logfile information is stored for a period of up to 30 days and then deleted or anonymized. Data that is required to be stored for evidentiary purposes is excluded from deletion until the respective incident is fully clarified.

Further information on the processing methods, procedures, and services used:

‍– Provision of online offer on rented hosting space: For the provision of our online services, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also referred to as a "web hoster"); Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
‍
‍– Collection of Access Data and Log Files: The access to our online services is logged in the form of so-called "server log files". Server log files may include the address and name of the web pages and files accessed, the date and time of access, data volumes transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a general rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and to ensure the stability and optimal load balancing of the servers; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR). Retention period: Log file information is stored for a maximum period of 30 days and then deleted or anonymized. Data, the further storage of which is necessary for evidence purposes, are excluded from deletion until the respective incident has been finally clarified.
‍
‍– Content-Delivery-Network: We use a socalled "Content Delivery Network" (CDN). A CDN is a service with whose help contents of our online services, in particular large media files, such as graphics or scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
‍
‍– Amazon Web Services (AWS): Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacities); Service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, 1855, Luxembourg; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://aws.amazon.com/; Privacy Policy: https://aws.amazon.com/privacy/; Data Processing Agreement: https://aws.amazon.com/compliance/gdpr-center/. Basis for third-country transfers: Data Privacy Framework (DPF).
‍
– Webflow: Creation, management and hosting of websites, online forms and other web elements for the domain fashion.cloud; Service provider: Webflow, Inc., 398 11th St., Floor 2, 94103 San Francisco, USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://webflow.com; Privacy Policy: https://webflow.com/legal/eu-privacy-policy; Data Processing Agreement: https://webflow.com/legal/dpa. Basis for third-country transfers: Data Privacy Framework (DPF).

‍–  Wordpress: Hosting and software for the creation, provision and operation of websites, blogs and other online services for the domain brand.fashion.cloud; Service provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://wordpress.com; Privacy Policy: https://automattic.com/privacy/; Data Processing Agreement: https://wordpress.com/support/data-processing-agreements/. Basis for third-country transfers: Data Privacy Framework (DPF).

‍–  Cloudflare: Content-Delivery-Network (CDN) - service with whose help contents of our online services, in particular large media files, such as graphics or scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet; Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.cloudflare.com; Privacy Policy: https://www.cloudflare.com/privacypolicy/; Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for third-country transfers: Data Privacy Framework (DPF).

‍–  Amazon CloudFront: Content-Delivery-Network (CDN) - service with whose help contents of our online services, in particular large media files, such as graphics or scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet; Service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, 1855, Luxembourg; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://aws.amazon.com/cloudfront/; Privacy Policy: https://aws.amazon.com/privacy/; Data Processing Agreement: https://aws.amazon.com/compliance/gdpr-center/. Basis for third-country transfers: Standard Contractual Clauses (Provided by the service provider).

‍– gstatic.com: Content-Delivery-Network (CDN) - service with whose help contents of our online services, in particular large media files, such as graphics or scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.google.com/; Privacy Policy: https://policies.google.com/privacy. Data Processing Agreement:  https://business.safety.google/adsprocessorterms.

– JSDelivr: Content Delivery Network (CDN) that helps deliver media and files quickly and efficiently, especially under heavy load; Service provider: ProspectOne, Królewska 65A/1, 30-081, Kraków, Poland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.jsdelivr.com. Privacy Policy: https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net.

‍– Marker.io: We use Marker.io as an online feedback and bug reporting tool to improve user experience and streamline issue reporting. Marker.io collects information related to feedback submissions, including screenshots, URLs, and user comments, to help us better understand and resolve reported issues. Marker.io may process certain personal data in accordance with our legitimate interests in improving our services. For more information on how Marker.io processes personal data, please refer to Marker.io’s Privacy Policy.

05 – Cookies and Similar Technologies

On our website, we use cookies and similar technologies. Cookies are small text files that are stored on your device and may contain certain information. The use of such technologies is governed by § 25 of the Telecommunication-Telemedia Data Protection Act (TTDSG). Technically necessary cookies, which are essential for the operation, security, and basic functions of our website, may be used without your consent. The processing of personal data related to these cookies is based on our legitimate interest according to Art. 6(1)(f) GDPR to ensure the functional and secure provision of our website. These technically necessary cookies are not individually described in this privacy policy, as they do not present selectable options and are strictly required for the use of our website.

All other non-technically necessary cookies and services from external providers, such as for embedding content, enhancing functionality, or improving IT security, will only be used after your voluntary consent according to § 25(1) TTDSG and Art. 6(1)(a) GDPR. For this purpose, we use a consent management tool that allows you to decide individually, upon your first visit to our website, which optional services you wish to allow. You can revoke or adjust your consent at any time in the future through the consent tool.

Further information on the service provider:
‍
–Usercentrics: Cookie Consent Management: Procedures for obtaining, recording, managing, and revoking consents, particularly for the use of cookies and similar technologies for storing, accessing, and processing information on users' devices as well as their processing; Service provider: Usercentrics GmbH, Sendlinger Strasse 7, 80331 Munich, Germany; Website: https://usercentrics.com/. Privacy Policy: https://usercentrics.com/privacy-policy/.

Below we inform you, in accordance with Art. 13 GDPR, about those consent-based services that are loaded and used only after your consent.

06 – Cookie Settings:

– Processed Data Types: Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved parties).
– Affected Persons: Users (e.g., website visitors, users of online services).
– Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Further information on the processing methods, procedures, and services used:

– Google Analytics/GA4 (Advanced Consent Mode): This website uses Google Analytics, a web analysis service that uses cookies (text files stored on your computer) to enable an analysis of your use of the website and improve our offer. If IP anonymization is activated on this website, your IP address will be shortened by Google within the member states of the European Union or in other countries that are parties to the European Economic Area agreement before being transmitted to a third country. This website uses Google Analytics with the extension “_anonymizeIp()”. As a result, IP addresses are shortened and can no longer be associated with an individual. If the data collected about you can be personally identifiable, it will be immediately excluded, and the personal data will be deleted. In exceptional cases, the full IP address will be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, compile reports on website activities, and provide further services related to website usage and internet usage. You can prevent the storage of cookies by adjusting your browser settings; however, we would like to point out that you may not be able to use all the features of this website fully. You can further prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de. You can also set an analytics opt-out cookie by clicking on the "Google Analytics Deactivate" link, which prevents Google Analytics from collecting data on the use of this website in the future. The legal basis for the use of Google Analytics is Art. 6(1)(a) GDPR. A transmission to the USA is possible; Google LLC is certified under the EU-U.S. Data Privacy Framework. Further information can be found at https://policies.google.com/privacy?hl=de.

– Google Tag Manager: We use “Google Fonts” on our website, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to display fonts consistently. When you visit our website, the required fonts are loaded from Google servers. This may transmit your IP address and technical information (e.g., browser type, operating system, language settings) to Google and be processed on servers in the USA. The use of Google Fonts is based solely on your consent according to Art. 6(1)(a) GDPR. Without your consent, no connection to Google servers is established. You can revoke your consent at any time with effect for the future. The legal basis for data transfers to third countries (USA): Data Privacy Framework (DPF). Further information on data protection by Google can be found at https://policies.google.com/privacy.

– Google Fonts: We use “Google Fonts” on our website, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to display fonts consistently. When you visit our website, the required fonts are loaded from Google servers. This may transmit your IP address and technical information (e.g., browser type, operating system, language settings) to Google and be processed on servers in the USA. The use of Google Fonts is based solely on your consent according to Art. 6(1)(a) GDPR. Without your consent, no connection to Google servers is established. You can revoke your consent at any time with effect for the future. The legal basis for data transfers to third countries (USA): Data Privacy Framework (DPF). Further information on data protection by Google can be found at https://policies.google.com/privacy.

– Google Ads / Conversion Tracking: We use Google Ads Conversion Tracking from Google Ireland Limited to track whether users arrive on our website via a Google ad and to measure which actions take place afterward. After your consent, Google sets cookies, which can track whether and how often certain pages were accessed or certain actions were performed. This may involve processing of IP address (shortened), browser information, referrer URL, click behavior, and timestamp. The information generated is transmitted to Google and provided to us in reports. There may be a transfer of data to Google LLC in the USA. This transfer is based on the EU Commission’s Standard Contractual Clauses; Google is also certified under the EU-U.S. Data Privacy Framework. The processing is based solely on your consent according to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You can revoke your consent at any time via our consent tool. Further information on data protection by Google can be found at https://policies.google.com/privacy.

– Google Ad Manager: We use Google Ad Manager, a service of Google Ireland Limited, to display advertising content within the Google ad network and optimize the delivery of our ads. Google may use cookies or similar technologies to create pseudonymous usage profiles that include information such as IP address, device and browser data, interactions, and page views. The processing is based solely on your consent according to Art. 6(1)(a) GDPR in conjunction with § 25 TTDSG. For possible data transfers to the USA, appropriate guarantees are used (especially EU-US Data Privacy Framework (DPF) or EU Standard Contractual Clauses). Further information can be found in the privacy notice at https://policies.google.com/privacy.

– Google DoubleClick Floodlight: We use DoubleClick Floodlight, a service of Google Ireland Limited, to measure conversions and user interactions within our platform. Floodlight uses pixels and cookies to capture how users interact with our content, what actions are performed, and how campaign performances turn out. This may involve the processing of IP address (possibly shortened), browser data, referrer, and interaction events. There may be a transmission of personal data to Google LLC in the USA. This transfer is based on the EU Commission’s Standard Contractual Clauses; Google is also certified under the EU-U.S. Data Privacy Framework. The use is based solely on your consent according to Art. 6(1)(a) GDPR and § 25(1) TTDSG, which you can revoke at any time via our consent tool. Further information can be found in the privacy notice at https://policies.google.com/privacy.

– Google reCAPTCHA: We use Google reCAPTCHA from Google Ireland Limited to protect against automated inputs. After your consent, reCAPTCHA analyzes various technical information such as IP address, mouse movements, input behavior, browser and device details, and timestamps. This data is used to determine whether the input is made by a real person or automated software (bots). Data may be transmitted to Google LLC in the USA based on Standard Contractual Clauses; Google is also certified under the EU-U.S. Data Privacy Framework. The processing is solely based on your consent according to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You can withdraw your consent at any time via the consent tool. Further information can be found in the privacy notice at https://policies.google.com/privacy.

– Meta Pixel (Facebook Pixel): We use Meta Pixel from Meta Platforms Ireland Ltd. to evaluate visitor interactions and display targeted advertising on Facebook and Instagram. After your consent, Meta sets cookies such as _fbp to recognize returning visitors and analyze their behavior across our website. Meta receives information such as IP address, browser data, device identifiers, visited pages, timestamps, and interaction events (e.g., clicks). The data may be transmitted to Meta Platforms Inc. in the USA. This transmission is based on Standard Contractual Clauses; Meta is also certified under the EU-U.S. Data Privacy Framework. The use is solely based on your consent according to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You can withdraw your consent at any time. Further information on Meta’s privacy policy can be found at https://www.facebook.com/privacy and https://www.instagram.com/legal/privacy.

– LinkedIn Insight Tag: We use the LinkedIn Insight Tag from LinkedIn Ireland Unlimited Company to gather statistical insights on the use of our website and serve targeted advertising on LinkedIn. After your consent, cookies are set that allow LinkedIn to capture data such as IP address, device and browser information, page views, interactions, and timestamps. LinkedIn may transfer data to LinkedIn Corporation in the USA. This transfer is based on Standard Contractual Clauses; LinkedIn is also certified under the EU-U.S. Data Privacy Framework. The processing is solely based on your consent according to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You can withdraw your consent at any time. Further information can be found in LinkedIn’s privacy policy at https://www.linkedin.com/legal/privacy-policy.

– Microsoft Advertising (Bing Ads): We use Microsoft Advertising from Microsoft Ireland Operations Limited to measure conversions and evaluate the effectiveness of our ads. After your consent, Microsoft sets cookies (e.g., MUID) that enable recognition of users, capture their interactions, and create campaign analysis. This may involve processing of IP address, device and browser data, referrer, and interaction data. There may be a transfer of data to Microsoft Corporation in the USA. This transfer is based on Standard Contractual Clauses and Microsoft’s certification under the EU-U.S. Data Privacy Framework. The processing is based solely on your consent (Art. 6(1)(a) GDPR, § 25(1) TTDSG). You can withdraw your consent at any time via our consent tool. Further information about data processing by Microsoft can be found in the privacy statement at https://privacy.microsoft.com/privacystatement.

– Microsoft Clarity: Our website uses Microsoft Clarity, a service provided by Microsoft Corporation (USA), to analyze user behavior. It captures pseudonymized data such as mouse movements, clicks, scroll behavior, device information, and interaction patterns to optimize the usability and presentation of our content. If Microsoft Clarity is used, it is solely based on your prior consent according to Art. 6(1)(a) GDPR. Microsoft may also process the transmitted data for its own purposes, such as improving its products and security functions. We have no influence over this further processing; depending on its design, there may be joint responsibility under Art. 26 GDPR. Microsoft provides corresponding agreements and regulations. Further information on data processing by Microsoft can be found in their privacy statement at https://privacy.microsoft.com/privacystatement.

– Leadinfo: We use Leadinfo, a service of Leadinfo B.V., Rotterdam, which identifies the companies visiting our website based on their IP address. Leadinfo creates server requests and processes technical identification features such as IP address, visited pages, and timestamps. This information is analyzed exclusively at the company level but may contain basic usage data. The processing is solely based on your consent according to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You can withdraw your consent at any time.
‍
– Weglot: We use Weglot, a service of Weglot SAS, to provide a language switch. After your consent, Weglot sets cookies to store your selected language settings and display content accordingly. This may involve the processing of technical usage data such as IP address, browser information, and interaction data. The processing is based solely on your consent according to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You can withdraw your consent at any time.

– HubSpot: We use tracking and marketing features from HubSpot Ireland Ltd. After your consent, HubSpot uses cookies and similar technologies to evaluate user behavior on our website and support marketing processes. This includes cookies such as "hubspotutk" and other tracking mechanisms that allow recognition across multiple sessions and assign interactions with forms and content. HubSpot processes information such as visited pages, interactions, form submissions, navigation behavior, session duration, recurring visits, timestamps, and technical characteristics of the device used. The data is used to evaluate website activities, manage marketing campaigns, and ensure the functionality of forms. There may be a transfer of data to HubSpot Inc. in the USA. This transfer is based on the EU Commission’s Standard Contractual Clauses; HubSpot is also certified under the EU-U.S. Data Privacy Framework. The use of these tracking features is solely based on your consent according to Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG. You can withdraw your consent at any time via our consent tool. Further information on HubSpot’s data processing can be found in their privacy policy at https://legal.hubspot.com/de/privacy-policy.

07 – Newsletter:

We send newsletters and electronic notifications exclusively based on consent according to Art. 6(1)(a) GDPR, or for existing customers, based on our legitimate interest in direct marketing according to Art. 6(1)(f) GDPR in conjunction with § 7 UWG. Registration is logged using the double-opt-in procedure (timestamp, IP address, confirmation) to be able to prove lawful consent. For sending, segmenting, automating, and analyzing user behavior, we use the service Customer.io. This involves processing email addresses, technical data (e.g., IP address, device data), and interaction data (opens, clicks, time, technical parameters). The newsletters contain a tracking pixel ("web beacon") that records open and click rates. The evaluation serves to optimize our communication offering. A separate revocation of success measurement is not possible; unsubscribing from the newsletter is required.

Further information on the service provider:

– Hubspot Email Marketing: Sending marketing emails, creating personalised campaigns, automating workflows, segmenting target audiences, integrating with CRM systems, analysing performance through reports and dashboards; Service provider: HubSpot Irland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://www.hubspot.com/products/marketing/email; Privacy Policy:https://legal.hubspot.com/privacy-policy; Data Processing Agreement:https://legal.hubspot.com/dpa; Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa). Further Information:https://legal.hubspot.com/dpa.

– Customer.io (USA): Sending marketing messages and campaign management on various communication channels, automation, personalization, profiling and analysis; Service provider: Peaberry Software Inc., 9450 SW Gemini Dr., Suite 43920, Beaverton, Oregon 97008-7105, USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://customer.io/; Privacy Policy: https://customer.io/legal/privacy-policy/; Data Processing Agreement: https://customer.io/legal/dpa/; Basis for third-country transfers: Standard Contractual Clauses (https://customer.io/legal/scc/). Further Information: https://customer.io/legal/gdpr/.

– SparkPost (USA): Sending transactional messages and campaign management on various communication channels, automation, personalization, profiling and analysis; Privacy policy: https://www.sparkpost.com/policies/. Transfers to the USA occur based on EU Standard Contractual Clauses.

After unsubscribing, the email address may be stored for documenting the previous consent based on legitimate interests according to Article 6(1)(f) GDPR for up to three years. An early deletion is possible if the previous existence of consent is confirmed. Addresses can also be stored in a blacklist for permanent consideration of objections.

08 – Chatbots and Chat Functions:

We provide online chats and chatbot functions as a means of communication (together referred to as "Chat Services"). A chat is an online conversation that is conducted with a certain degree of immediacy. A chatbot is software that answers users' questions or informs them about messages. If you use our chat functions, we may process your personal data.
‍
If you use our Chat Services within an online platform, your identification number is also stored within the respective platform. We may also collect information about which users interact with our Chat Services and when. Furthermore, we store the content of your conversations via the Chat Services and log registration and consent processes in order to be able to prove these in accordance with legal requirements.
‍
We would like to inform users that the respective platform provider can find out that and when users communicate with our Chat Services and can collect technical information about the user's device used and, depending on the settings of their device, also location information (so-called metadata) for the purpose of optimising the respective services and for security purposes. Likewise, the metadata of communication via Chat Services (i.e., information about who has communicated with whom) could be used by the respective platform providers for marketing purposes or to display advertising tailored to users in accordance with their regulations, to which we refer for further information.If users agree to activate information with regular messages to a chatbot, they have the possibility to unsubscribe from the information for the future at any time. The chatbot points out to users how and with which terms they can unsubscribe the messages. By unsubscribing from the chatbot messages, Users' data is deleted from the directory of message recipients.

We use the aforementioned information to operate our Chat Services, e.g. to address users personally, to answer their inquiries, to transmit any requested content and also to improve our Chat Services (e.g. to "teach" chatbots answers to frequently asked questions or to identify unanswered inquiries).
‍
Information on Legal basis: We use the Chat Services on the basis of a consent if we first obtain the permission of the users to process their data by the Chat Services (this applies in cases where users are asked for consent, e.g. so that a chatbot regularly sends them messages). If we use Chat Services to answer user queries about our services or our company, this is done for contractual and pre-contractual communication. In addition, we use Chat Services based on our legitimate interests in optimizing the Chat Services, its operating efficiency and enhancing the positive user experience.

‍Withdrawal, objection and deletion: You can revoke a given consent at any time or contradict the processing of your data in the context of our chatbot use.
‍– Processed data types: Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties).
– Data subjects: Communication partner (Recipients of e-mails, letters, etc.).
– Purposes of processing: Contact requests and communication. Direct marketing (e.g. by e-mail or postal).
– Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
– Legal Basis: Consent (Article 6 (1) (a) GDPR); Performance of a contract and prior requests (Article 6 (1) (b) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).

‍Further information on processing methods, procedures, and services used:

– Intercom (Chat and AI Assistance): Kommunikationsplattform mit Messenger-, Chat-, und Chatbotfunktionen sowie Gesprächs-, Kontakt- und Kundenverwaltung; Service provider: https://www.intercom.com/de; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.intercom.com; Legal Basis: Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 Saint Stephen's Green, Dublin 2, Irland; Privacy Policy: https://www.intercom.com/legal/privacy; Data Processing Agreement: https://www.intercom.com/de/legal/data-processing-agreement. Basis for third-country transfers: Standard Contractual Clauses (https://www.intercom.com/de/legal/data-processing-agreement).

09 – Embedding External Content/Services:

– YouTube: We use YouTube, a service of Google Ireland Limited, to embed videos. After your consent, YouTube may set cookies, create user profiles, and process usage data such as IP address, device information, interactions (e.g., playback, duration), and referrer URLs. YouTube may transfer data to Google LLC in the USA. The data transfer is based on Standard Contractual Clauses; Google is certified under the EU-U.S. Data Privacy Framework. Processing occurs exclusively with your consent according to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You can withdraw your consent at any time through our consent tool. Further information can be found in YouTube's privacy policy at https://policies.google.com/privacy.

– Audio Content / Podcasts: If we provide audio or podcast content through external hosting services, technical data necessary for the delivery and playback of this content is processed. This includes IP address, device and browser information, access time, and usage data such as playback events and interactions with the audio player. Hosting services may also conduct statistical evaluations of podcast performance, such as access and playback numbers or repeated retrievals. Processing is based on our legitimate interests in providing and optimizing audio content according to Art. 6(1)(f) GDPR. If cookies or similar technologies are used for audio functionality, this is done solely with your consent according to Art. 6(1)(a) GDPR in conjunction with § 25 TTDSG. For podcast hosting, the service podcaster.de (Fabio Bacigalupo, Brunnenstraße 147, 10115 Berlin) may be used. Further information can be found at: https://www.podcaster.de/privacy.

– Links to Social Media Platforms: Our website contains links and buttons to our profiles on LinkedIn, Facebook, Instagram, and Spotify. When you visit our website, no personal data is transmitted to the mentioned platforms through these links. Data processing only occurs when you actively select the respective external link and directly access the corresponding platform.
‍
In this case, the processing of personal data by the respective providers takes place based on the privacy policies of the platforms. These can be found here:

Facebook/Instagram (Meta Platforms Ireland Ltd.): https://www.facebook.com/privacy and https://www.instagram.com/legal/privacy

LinkedIn (LinkedIn Ireland Unlimited Company): https://www.linkedin.com/legal/privacy-policy

Spotify (Spotify AB): https://www.spotify.com/legal/privacy-policy

– Feedback and Surveys: To conduct voluntary surveys and gather feedback, our website may use online questionnaires. The evaluation is generally anonymized; personal data is only processed if necessary for the technical provision and execution of the survey, such as for displaying the questionnaire in the browser or resuming an incomplete survey. This may include processing technical usage data, such as IP addresses, timestamps, and the content entered by participants. The processing is based on our legitimate interests in improving our services in accordance with Article 6 (1) (f) GDPR. If surveys are conducted with consent in individual cases, the processing is based on Article 6 (1) (a) GDPR.

For the creation and provision of such questionnaires, we use the service "Typeform," provided by TYPEFORM S.L., Carrer Bac de Roda 163, 08018 Barcelona, Spain. Further information about data processing by Typeform can be found at https://www.typeform.com and in their privacy policy at https://admin.typeform.com/to/dwk6gt/.

– Spotify Widget: Our website may provide audio content through an embedded Spotify widget. When visiting a page that includes this widget, a connection is made to the servers of Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm, Sweden. In the process, the IP address of the used device, as well as technically necessary browser and device information, is transmitted to Spotify to display the player and stream audio content. The embedding of third-party content is done solely on the basis of your prior consent in accordance with Article 6 (1) (a) GDPR. Without your consent, the widget will not be loaded. Further information can be found in Spotify’s privacy policy at https://www.spotify.com/legal/privacy-policy/.

10 – Fashion Cloud Platform:

– Registration, Login, and User Account: To use our platform, creating a personal user account is required. We process the data you provide, particularly your name, business contact details, and email address, to create, manage the account, and provide you with the platform’s functions. During registration and while using the account, we also process technical usage and log data such as IP address, timestamp, and security-related log entries to ensure the platform’s secure operation and to prevent misuse. Due to the nature of our platform, usage under the real name is required; pseudonyms are not permitted. Users may be informed by email about account-relevant technical or organizational changes. The processing is carried out to execute pre-contractual measures and fulfill the user contract according to Art. 6(1)(b) GDPR, as well as to ensure the technical integrity and security of our systems based on our legitimate interest according to Art. 6(1)(f) GDPR.

– Single Sign-On (SSO): We offer the option to log in via so-called Single Sign-On services (SSO). Authentication occurs exclusively with the respective SSO provider. We only receive a technical user identification and individual profile data, such as the email address, if you make this available with the SSO provider. Passwords are not transmitted to us and are not stored by us. The use of the SSO method is carried out to fulfill the user relationship according to Art. 6(1)(b) GDPR and, where applicable, to ensure a secure and user-friendly login process according to Art. 6(1)(f) GDPR. The connection to the SSO provider can be disconnected at any time in the provider's settings; however, this does not replace the deletion of the user account on our platform. The service provider for the SSO method is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. The privacy policy can be accessed at https://privacy.microsoft.com/de-de/privacystatement.

– Processing in the Context of Platform Use and Business Operations: Within the framework of using our platform, we only process personal data to the extent necessary to provide platform features, manage user accounts, and perform business interactions initiated or completed through the platform. This includes, in particular, technical usage data, registration information, communication data, and content generated during platform use. If business processes between users are supported or executed via the platform, the processing extends to the necessary data, such as to provide digital services, prepare or execute contractual processes, or support organizational workflows. No independent further processing for business purposes takes place. To provide technical support and ensure the secure operation of the platform, we use suitable hosting, infrastructure, and system service providers. The hosting and infrastructure service providers involved are listed in the general description of online services and hosting processing operations (see Section 3.1). If business operations require it, such as in the processing of orders or services, personal data may be shared with payment service providers, banks, or shipping service providers. The processing is carried out exclusively to fulfill the user relationship or specific transactions according to Art. 6(1)(b) GDPR.

– Storage and Deletion: We generally store platform-related data for the duration of active account usage. After the termination of the user relationship, we retain data for the duration of statutory warranty and similar periods, usually up to four years. Additionally, statutory retention periods apply, which in some cases can be up to six years for commercial documents and up to ten years for tax-related documents such as invoices and booking records. These periods start at the end of the calendar year in which the respective information was created. After the respective periods expire, we delete the data unless there are legitimate interests in further storage, such as for defending or asserting legal claims.

11 – Within the Company:

– Customer and Supplier Data: This data is processed in the context of fulfilling our contracts with customers/suppliers and implementing pre-contractual measures. The purposes of data processing are based on the needs of the customer and may also include sales/consultation discussions and similar activities. Furthermore, we process personal data to initiate and fulfill contracts with suppliers and service providers based on Art. 6(1)(b) GDPR.

– Communication via WhatsApp: We offer the option to contact us via WhatsApp. If you use WhatsApp to send us a message, we process the information you provide and the technical communication data generated to answer your request and, if applicable, to carry out pre-contractual measures (Art. 6(1)(b) GDPR). Please note that WhatsApp Ireland Limited and possibly WhatsApp LLC (USA) may process certain metadata of the communication, such as the time of message transmission, device data, or information about your use of the service. The contents of your messages are protected by end-to-end encryption and cannot be viewed by WhatsApp. We do not transmit your contact details to WhatsApp without your prior contact. If you do not wish to communicate via WhatsApp, you can always contact us alternatively via email or phone. The data will be deleted once the purpose is fulfilled unless legal retention obligations exist. Further information on data processing by WhatsApp can be found in the provider's privacy policy: https://www.whatsapp.com/legal/. Basis for possible data transfers to the USA is the EU-U.S. Data Privacy Framework and the Standard Contractual Clauses used by WhatsApp.

– Online Meetings and Video Conferences: For phone or virtual meetings, online discussions, or web conferences, we use common video conferencing services such as Zoom. When participating, the information you provide (e.g., name, email address) as well as technical communication data required to establish and conduct the connection are processed. This includes, in particular, IP address, device and browser information, time, and duration of participation as well as, if voluntarily provided, audio, video, or chat content. The processing is carried out to prepare, conduct, and follow up on business communication and to fulfill contractual or pre-contractual measures according to Art. 6(1)(b) GDPR. If content is recorded, this only occurs after prior transparent information; the processing is based on your consent according to Art. 6(1)(a) GDPR. For certain processing operations, data may be transferred to third countries (e.g., USA). In these cases, the transfer is based on Standard Contractual Clauses or the EU-U.S. Data Privacy Framework of the respective provider. Privacy information from Zoom: https://www.zoom.com/de/trust/privacy/privacy-statement/

12 – Contact and Inquiry Management:

– Contact via Contact Form, Email, Phone: When you contact us (e.g., via the contact form on our website/subpages, via email, or by phone), we process the information you transmit as well as any technical communication data to process and answer your request. This includes, in particular, contact data (e.g., name, email address, phone number), the content of your message, and technical metadata (e.g., time of transmission, IP address). The data entered in the forms is used solely for processing your request and not for any other purposes. The data processing is carried out to process your request or to perform pre-contractual or contractual measures according to Art. 6(1)(b) GDPR, as well as based on our legitimate interest in efficient communication according to Art. 6(1)(f) GDPR. The data will be deleted once the purpose is fulfilled, unless there are legal retention obligations.

Further information on processing methods, procedures and services used:

– Hubspot Analytics: Web analysis, measuring reach and analyzing user behavior in relation to the use and interests regarding functions and content as well as their duration of use based on a pseudonymous user identification number and profile creation; Service provider: HubSpot Irland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website: https://www.hubspot.com/products/marketing/analytics; Privacy Policy: https://legal.hubspot.com/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa).

‍– Hubspot Breeze: AI-based service for automating tasks, analysing customer data, predicting trends, enhancing the personalisation of marketing strategies, and supporting decision-making; Service provider: HubSpot Irland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.hubspot.com/products/artificial-intelligence; Privacy Policy: https://legal.hubspot.com/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dp.

– Hubspot Marketing Hub: Email marketing, lead generation, marketing automation, analysis of campaign performance, management of social media interactions, creation and optimisation of landing pages, as well as contact management; Service provider: HubSpot Irland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website: https://www.hubspot.de; Privacy Policy: https://legal.hubspot.com/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa).

‍– Hubspot CRM: Management of customer contacts, tracking of sales activities, automation of marketing campaigns, analysis of sales data, creation and management of email campaigns, integration with other tools and platforms, management of customer support inquiries, AI-supported content generation, personalised email creation, predictive sales forecasts, automatic workflow descriptions and AI chatbots for customer interaction; Service provider: HubSpot Irland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.hubspot.de/pa/crm; Privacy Policy: https://legal.hubspot.com/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa).

– Hubspot Sales Hub: Management of sales processes, automation of sales tasks, tracking of customer interactions, analysis of sales data, integration with email and calendars, creation of reports and forecasts, management of contacts and leads, support in communication with customers; Service provider: HubSpot Irland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website: https://www.hubspot.com/products/sales; Privacy Policy: https://legal.hubspot.com/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa).

‍– Hubspot Content Hub: Creation, management and optimisation of content, support in SEO optimisation, planning and publication of posts on various channels, analysis of content performance; Service provider: HubSpot Irland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.hubspot.com/products/content; Privacy Policy: https://legal.hubspot.com/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa).

– Hubspot CMS: Content Management System (CMS) is a service that facilitates the collaborative creation, editing, organizing, and displaying of digital content for the purpose of publication on websites, apps, and other media formats; Service provider: HubSpot Irland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.hubspot.com/products/cms; Privacy Policy: https://legal.hubspot.com/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa.

13 – Social Media Profiles:

‍We maintain profiles on various social networks to provide information about our company and to communicate with users. When you visit our social media pages, the respective platform operators process personal data of the users, including usage, profile, communication, and technical data (e.g., IP addresses). The data processing can serve for analysis, advertising, and profiling purposes and may also take place in third countries; for providers participating in the EU-US Data Privacy Framework (DPF), an adequate level of data protection exists.

In general, there is joint responsibility between us and the respective platform provider for certain processing operations (e.g., statistical “insights data”). Users can assert their rights concerning the processed data both with us and directly with the respective provider; in many cases, the platform provider is the more effective contact point, as it has direct access to the processed data.

When we process personal data ourselves in the context of our social media presence (e.g., when responding to inquiries, messages, or comments), this is done for communication with the affected persons according to Art. 6(1)(f) GDPR.

We maintain profiles with the following providers:

– Facebook (including Facebook Pages and Facebook Events): Meta Platforms Ireland Limited, Dublin, Ireland Privacy Policy: https://www.facebook.com/about/privacy

– Instagram: Meta Platforms Ireland Limited, Dublin, Ireland Privacy Policy: https://instagram.com/about/legal/privacy

– LinkedIn: LinkedIn Ireland Unlimited Company, Dublin, Ireland Privacy Policy: https://www.linkedin.com/legal/privacy-policy

– Xing: New Work SE, Hamburg, Germany Privacy Policy: https://privacy.xing.com

– YouTube: Google Ireland Limited, Dublin, Ireland Privacy Policy: https://policies.google.com/privacy

– Spotify: Spotify AB, Stockholm, Sweden Privacy Policy: https://www.spotify.com/legal/privacy-policy

Please also refer to the privacy policies of the respective providers, especially regarding the scope, purpose, and legal basis of the data processing carried out by them, as well as the options for protecting your privacy.

14 – Online Marketing:

We process personal data for the purposes of online marketing, which may include in particular the marketing of advertising space or the display of advertising and other content (collectively referred to as "Content") based on the potential interests of users and the measurement of their effectiveness.
‍
For these purposes, so-called user profiles are created and stored in a file (so-called "cookie") or similar procedure is used by which the relevant user information for the display of the aforementioned content is stored. This information may include, for example, content viewed, websites visited, online networks used, communication partners and technical information such as the browser used, computer system used and information on usage times and used functions. If users have consented to the collection of their sideline data, these can also be processed.
‍
The IP addresses of the users are also stored. However, we use provided IP masking procedures (i.e. pseudonymisation by shortening the IP address) to ensure the protection of the user's by using a pseudonym. In general, within the framework of the online marketing process, no clear user data (such as e-mail addresses or names) is secured, but pseudonyms. This means that we, as well as the providers of online marketing procedures, do not know the actual identity of the users, but only the information stored in their profiles.
‍
The information in the profiles is usually stored in the cookies or similar memorizing procedures. These cookies can later, generally also on other websites that use the same online marketing technology, be read and analyzed for purposes of content display, as well as supplemented with other data and stored on the server of the online marketing technology provider.
‍
Exceptionally, clear data can be assigned to the profiles. This is the case, for example, if the users are members of a social network whose online marketing technology we use and the network links the profiles of the users in the aforementioned data. Please note that users may enter into additional agreements with the social network providers or other service providers, e.g. by consenting as part of a registration process.

As a matter of principle, we only gain access to summarised information about the performance of our advertisements. However, within the framework of so-called conversion measurement, we can check which of our online marketing processes have led to a so-called conversion, i.e. to the conclusion of a contract with us. The conversion measurement is used alone for the performance analysis of our marketing activities.
Unless otherwise stated, we kindly ask you to consider that cookies used will be stored for a period of two years

Notes on revocation and objection:
We refer to the privacy policies of the respective service providers and the possibilities for objection (so-called "opt-out"). If no explicit opt-out option has been specified, it is possible to deactivate cookies in the settings of your browser. However, this may restrict the functions of our online offer. We therefore recommend the following additional opt-out options, which are offered collectively for each area:
‍
a) Europe: https://www.youronlinechoices.eu.
b) Canada: https://www.youradchoices.ca/choices.
c) USA: https://www.aboutads.info/choices.
d) Cross-regional: https://optout.aboutads.info.

– Processed data types: Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties); Event Data (Facebook) ("Event Data" is data that can be transmitted from us to Facebook, e.g. via Facebook pixels (via apps or other means) and relates to persons or their actions; the data includes, for example, information about visits to websites, interactions with content, functions, installations of apps, purchases of products, etc.; Event data is processed for the purpose of creating target groups for content and advertising information (Custom Audiences). Event Data does not include the actual content (such as written comments), login information, and Contact Information (such as names, email addresses, and phone numbers). Event Data is deleted by Facebook after a maximum of two years, the Custom Audiences created from them with the deletion of our Facebook account).
–  Data subjects: Users (e.g. website visitors, users of online services).
–  Purposes of processing: Web Analytics (e.g. access statistics, recognition of returning visitors); Targeting (e.g. profiling based on interests and behaviour, use of cookies); Conversion tracking (Measurement of the effectiveness of marketing activities); Affiliate Tracking; Marketing; Profiles with user-related information (Creating user profiles); Provision of our online services and usability. Remarketing.
–  Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion". Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years.).
–  Security measures: IP Masking (Pseudonymization of the IP address).
–  Legal Basis: Consent (Article 6 (1) (a) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).

‍Further information on processing methods, procedures and services used:

–  Meta Pixel and Custom Audiences (Custom Audiences): With the help of the Meta-Pixel  (or equivalent functions, to transfer Event-Data or Contact Information via interfaces or other software in apps), Meta is on the one hand able to determine the visitors of our online services as a target group for the presentation of ads (so-called "Meta ads"). Accordingly, we use Meta-Pixels to display Meta ads placed by us only to Meta users and within the services of partners cooperating with Meta (so-called "audience network" https://www.facebook.com/audiencenetwork/ ) who have shown an interest in our online services or who have certain characteristics (e.g. interests in certain topics or products that are determined on the basis of the websites visited) that we transmit to Meta (so-called "custom audiences"). With the help of Meta-Pixels, we also want to ensure that our Meta ads correspond to the potential interest of users and do not appear annoying. The Meta-Pixel also enables us to track the effectiveness of Meta ads for statistical and market research purposes by showing whether users were referred to our website after clicking on a Meta ad (known as "conversion tracking"); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for third-country transfers: Data Privacy Framework (DPF). Further Information: User event data, i.e. behavioral and interest data, is processed for the purposes of targeted advertising and audience building on the basis of the joint controllership agreement ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). The joint controllership is limited to the collection and transfer of the data to Meta Platforms Ireland Limited, a company located in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which concerns in particular the transfer of the data to the parent company Meta Platforms, Inc. in the USA (on the basis of standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

–  Facebook Ads: Placement of ads within the Facebook platform and analysis of ad results; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Basis for third-country transfers: Data Privacy Framework (DPF); Opt-Out: We refer to the privacy and advertising settings in the users' profiles on the Facebook platforms, as well as to Facebook's consent procedures and contact options for exercising access and other data subject rights, as described in Facebook's privacy policy. Further Information: User event data, i.e. behavioral and interest data, is processed for the purposes of targeted advertising and audience building on the basis of the joint controllership agreement ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). The joint controllership is limited to the collection and transfer of the data to Meta Platforms Ireland Limited, a company located in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which concerns in particular the transfer of the data to the parent company Meta Platforms, Inc. in the USA (on the basis of standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

– Google Ad Manager: We use the service "Google Ad Manager" to place ads in the Google advertising network (e.g. in search results, videos, websites, etc.). The Google Ad Manager stands out because ads are displayed in real time based on users' presumed interests. This allows us to display ads for our online offering to users who may have a potential interest in our offering or who have previously shown interest, and measure the success of the ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF); Further Information: Types of processing and data processed: https://business.safety.google/adsservices/; Google Ads Controller-Controller Data Protection Terms and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms. where Google acts as processor, Data Processing Conditions for Google Advertising Products and standard contractual clauses for data transfers to third countries: https://business.safety.google/adsprocessorterms apply.

– Google Ads and Conversion Tracking: Online marketing process for purposes of placing content and advertisements within the provider's advertising network (e.g., in search results, in videos, on web pages, etc.) so that they are displayed to users who have a presumed interest in the ads. Furthermore, we measure the conversion of the ads, i.e. whether the users took them as a reason to interact with the ads and make use of the advertised offers (so-called conversion). However, we only receive anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF); Further Information: Types of processing and data processed: https://business.safety.google/adsservices/. Google Ads Controller-Controller Data Protection Terms and standard contractual clauses for data transfers to third countries:

– Instagram Ads: Placement of ads within the Instagram platform and analysis of ad results; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy; Basis for third-country transfers: Data Privacy Framework (DPF); Opt-Out: We refer to the data protection and advertising settings in the user's profile on the Instagram platform as well as Instagram's consent procedure and Instagram's contact options for exercising information and other data subject rights in Instagram's privacy policy. Further Information: User event data, i.e. behavioral and interest data, is processed for the purposes of targeted advertising and audience building on the basis of the joint controllership agreement ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). The joint controllership is limited to the collection and transfer of the data to Meta Platforms Ireland Limited, a company located in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which concerns in particular the transfer of the data to the parent company Meta Platforms, Inc. in the USA (on the basis of standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

– LinkedIn Insights Tag: Code that is loaded when a user visits our online offering and tracks the user's behavior and conversions, as well as stores it in a profile (possible use cases: measuring campaign performance, optimizing ad delivery, building custom and similar target groups); Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy, cookie policy: https://www.linkedin.com/legal/cookie_policy; Data Processing Agreement: https://www.linkedin.com/legal/l/dpa; Basis for third-country transfers: Data Privacy Framework (DPF). Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

– Facebook Conversions API: We use the "Conversions API" provided by Facebook. The Conversions API is an interface with which event data is sent directly from our servers to Facebook. The functionality and processing of data within the framework of the Conversions API corresponds to the functionality and processing within the framework of the use of the Facebook Pixel, and therefore we refer to the data protection information on the Facebook Pixel and Custom Audiences in this respect; Legal Basis: Consent (Article 6 (1) (a) GDPR).
‍
– UTM Parameter: Analysis of sources and user actions based on an extension of web addresses referring to us with an additional parameter, the "UTM" parameter. For example, a UTM parameter "utm_source=platformX &utm_medium=video" can tell us that a person clicked the link on platform X within a video. The UTM parameters provide information about the source of the link, the medium used (e.g. social media, website, newsletter), the type of campaign or the content of the campaign (e.g. posting, link, image and video). With the help of this information, we can, for example, check our visibility on the Internet or the effectiveness of our campaigns. This service may be associated with cookie data; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).

– LinkedIn Ads: Placement of ads within the LinkedIn platform and analysis of ad results; Service provider: LinkedIn Irland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://business.linkedin.com/de-de/marketing-solutions/ads; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for third-country transfers: Data Privacy Framework (DPF). Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

– Microsoft Advertising: Online marketing process for purposes of placing content and advertisements within the provider's advertising network (e.g., in search results, in videos, on web pages, etc.) so that they are displayed to users who have a presumed interest in the ads. Furthermore, we measure the conversion of the ads, i.e. whether the users took them as a reason to interact with the ads and make use of the advertised offers (so-called conversion). However, we only receive anonymous information and no personal information about individual users; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://about.ads.microsoft.com/de-de; Privacy Policy: https://privacy.microsoft.com/en-us/privacystatement; Basis for third-country transfers: Data Privacy Framework (DPF). Opt-Out: https://account.microsoft.com/privacy/ad-settings/.

– Tableau: Creation of interactive reports and dashboards, linking various data sources, visualisation of data through charts and graphs, real-time data synchronization, sharing reports with other users, customization of report layouts and designs. Service provider: Tableau Software LLC, 1621 N. 1st St., San Jose, California 95112, USA. Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR). Website: https://www.tableau.com Privacy Policy: https://www.tableau.com/privacy Data Processing Agreement: https://www.tableau.com/legal/data-processing-addendum Basis for third-country transfers: Data Privacy Framework (DPF).

15 – Recipients, Categories of Recipients, and Processors:

– Data Transfer within the Corporate Group: We may transfer personal data to other companies within our corporate group or grant them access to it. This data transfer is based on our legitimate business and economic interests. This includes, for example, the improvement of business processes, ensuring efficient and effective internal communication, optimizing the use of our personnel and technical resources, and the ability to make informed business decisions. In certain cases, the transfer of data may also be necessary to fulfill our contractual obligations, or it may be based on the consent of the affected persons or legal permission.

– Data Transfer within the Organization: We may transfer personal data to other departments or units within our organization or grant them access. If the data is transferred for administrative purposes, this is based on our legitimate business and economic interests or occurs when it is necessary to fulfill our contractual obligations, or if the affected persons have given their consent or legal permission.

– Data Transfer to Third Parties: In principle, we do not transfer your personal data to third parties. Exceptions apply only if this is necessary for the execution of contractual relationships with you, if you have provided your consent, if legal provisions require it, or if we are authorized to disclose the data. This includes, in particular, the transfer to service providers we have contracted (e.g., processors) or other third parties whose activities are necessary for the performance of the contract (e.g., event organizers, authorities, courts, experts, etc.). The transmitted data may only be used by third parties for the specified purposes.

16 – Legal Bases:

If not already specifically stated in Section 4, the following legal bases apply to data processing:
If we obtain the consent of the affected person for processing personal data, Art. 6(1)(a) GDPR serves as the legal basis.

If the processing of personal data is necessary for the performance of a contract (whether for a paid or free contract), Art. 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

If processing is required to fulfill a legal obligation to which we are subject, Art. 6(1)(c) GDPR serves as the legal basis.

If processing is necessary to safeguard the legitimate interest of our company or a third party and the interests, rights, and freedoms of the affected person do not override these interests, Art. 6(1)(f) GDPR serves as the legal basis for processing.

17 – International Data Transfers:

– Data Processing in Third Countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if processing occurs as part of using third-party services or the disclosure or transfer of data to other persons, bodies, or companies, this only occurs in compliance with legal requirements. If the level of data protection in the third country is recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers will only take place if the level of data protection is ensured in another way, particularly through Standard Contractual Clauses (Art. 46(2)(c) GDPR), explicit consent, or in the case of contractual or legally required transfers (Art. 49(1) GDPR). For third-country transfers and the adequacy decisions in place, we will inform you about the grounds of the third-country transfer in the individual provider's section, with adequacy decisions being the primary basis. Information on third-country transfers and adequacy decisions can be found on the EU Commission's information page: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

– EU-US Trans-Atlantic Data Privacy Framework: Under the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognized the level of data protection for certain companies from the USA in the adequacy decision of 10.07.2023. You can find the list of certified companies and more information about the DPF on the U.S. Department of Commerce's website: https://www.dataprivacyframework.gov/ (in English). We inform you in the privacy policy which service providers we use are certified under the Data Privacy Framework.

18 – General Information on Data Retention and Deletion:

Unless otherwise specified in this statement, we only store personal data as long as necessary to fulfill the purposes pursued. Your personal data will be deleted as soon as the purpose of the data processing no longer applies. If legitimate reasons for deletion, according to Art. 17(3) GDPR, such as a legal retention obligation, apply, the processing of the data will be restricted for this period. Legal retention obligations may exist due to tax and commercial documentation duties. In these cases, the data will be deleted when the reason for the further storage expires, e.g., when the statutory retention period ends.

19 – Rights of the Data Subject:

You have the right to request information about your personal data processed by us within the framework of applicable legal provisions, including the purpose of processing, the categories of personal data, the categories of recipients, the planned retention period, the right to rectification, deletion, restriction of processing, or objection, the existence of a right to lodge a complaint, the origin of the data if not collected from you, as well as the existence of automated decision-making, including profiling and meaningful information about the details.

– Right to Rectification or Completion: You have the right to immediately request the rectification of inaccurate or completion of your personal data stored by us.

– Right to Deletion: You have the right to request the deletion of your personal data stored by us, as long as further processing is not necessary to exercise the right of freedom of expression and information, to fulfill a legal obligation, for reasons of public interest, or for the assertion, exercise, or defense of legal claims.

– Right to Restriction of Processing: You have the right to request the restriction of processing your personal data, as long as you dispute the accuracy of the data, the processing is unlawful but you oppose the deletion, we no longer need the data but you need it for the assertion, exercise, or defense of legal claims, or you have objected to the processing according to Art. 21 GDPR.

– Obligation of the Controller to Notify: If you assert your right to rectification, deletion, or restriction of processing, we are obligated to inform all recipients to whom we have disclosed your personal data about this rectification or deletion of the data or restriction of processing, unless this proves impossible or involves disproportionate effort. You have the right to be informed about these recipients.

– Right to Data Portability: You have the right to data portability, meaning the right to receive your stored data from us in a structured, commonly used, and machine-readable format.

You also have the right to have your personal data, which we process based on your consent or in the performance of a contract, transferred to another controller in a structured, commonly used, and machine-readable format. If you request the direct transfer of data to another controller, this will only occur as long as it does not restrict the rights and freedoms of other persons.

– Right to Object: You have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you, which is based on Art. 6(1)(f) GDPR (processing based on a balancing of interests).

If you object, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

– Right to Withdraw Consent: If we process your personal data based on your consent, you have the right to withdraw this consent at any time, with effect for the future.In the event of withdrawal, we will immediately delete the affected data, unless further processing is based on a legal basis for processing without consent (e.g., statutory retention periods).

Your withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

– Right to Lodge a Complaint with a Supervisory Authority: In addition, you always have the right to lodge a complaint with the competent data protection supervisory authority. You can contact the data protection authority of your federal state or the authority of the federal state in which the responsible party has its seat.

The supervisory authority responsible for us is the Hamburg Commissioner for Data Protection and Freedom of Information, which you can contact as follows:
Ludwig-Erhard-Str. 22, 7th floor
20459 Hamburg
Tel: +49 40 / 428 54 - 4040
Fax: +49 40 / 428 54 - 4000
Email: mailbox@datenschutz.hamburg.de

20 – Data Security:

We take technical and organizational measures to protect your data from unauthorized access as comprehensively as possible. We use an encryption procedure on our websites. Your data is transmitted from your computer to our server and vice versa via the internet using TLS encryption. You can usually recognize this by the closed lock symbol in the status bar of your browser and the address bar starting with "https://".

21 – Status and Updates of this Privacy Policy:

The status of this privacy policy is December 2025. We reserve the right to adapt this privacy policy periodically based on the underlying data processing operations or due to changes in legal requirements.