Privacy Policy

Preamble
With the following privacy policy, we explain which types of your personal data (hereinafter also referred to as “data”) we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, as well as within external online presences such as our social media profiles (collectively referred to as the “online offering”).

The terms used are not gender-specific.

Last updated: 13 September 2025

Table of Contents

• Preamble
• Controller
• Overview of Processing Activities
• Relevant Legal Bases
• International Data Transfers
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Business Services
• Provision of the Online Offering and Web Hosting
• Use of Cookies
• Blogs and Publication Media
• Contact and Inquiry Management
• Audio Content
• Newsletter and Electronic Notifications
• Web Analytics, Monitoring and Optimization
• Presences on Social Networks (Social Media)
• Plug-ins and Embedded Functions and Content

Controller
Playful Mindfulness – Toni Koç
Hans-Thoma-Str. 2
14467 Potsdam, Germany

Email: toni@playful-mindfulness.com

Imprint: https://playful-mindfulness.com/imprint/

Overview of Processing Activities
The following overview summarizes the types of data processed, the purposes of processing, and the categories of data subjects.

Types of data processed

• Inventory data.
• Payment data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication and process data.
• Log data.

Categories of data subjects

• Recipients of services and clients.
• Prospective parties.
• Communication partners.
• Users.
• Business and contractual partners.
• Education and course participants.

Purposes of processing

• Provision of contractual services and fulfillment of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Reach measurement.
• Office and organizational procedures.
• Conversion measurement.
• Organizational and administrative procedures.
• Feedback.
• Profiles with user-related information.
• Provision of our online offering and user-friendliness.
• Information technology infrastructure.
• Public relations.
• Business processes and commercial procedures.

Relevant Legal Bases
Relevant legal bases under the GDPR: Below is an overview of the GDPR legal bases on which we process personal data. Please note that, in addition to the GDPR, national data protection provisions may apply in your or our country of residence or seat. If more specific legal bases apply in individual cases, we will inform you in this privacy policy.

• Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data do not override those interests.

National data protection rules in Germany: In addition to the GDPR, national data protection provisions apply in Germany, in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific provisions on the right of access, the right to deletion, the right to object, processing of special categories of personal data, processing for other purposes, and transfer as well as automated individual decision-making including profiling. State data protection laws of the individual federal states may also apply.

Note on applicability of the GDPR and the Swiss FADP: These data protection notices serve both for information under the Swiss Federal Act on Data Protection (FADP) and under the GDPR. For broader geographic applicability and clarity, the terms of the GDPR are used. Thus, instead of the FADP terms “processing” of “personal data,” “overriding interest,” and “sensitive personal data,” the GDPR terms “processing” of “personal data,” “legitimate interests,” and “special categories of data” are used. The legal meaning of terms under the FADP remains governed by the FADP where it applies.

International Data Transfers
Data processing in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or this occurs in the context of using third-party services or disclosure/transfer of data to other persons, bodies, or companies (recognizable by the provider’s postal address or where this privacy policy explicitly indicates a third-country transfer), such transfer is always carried out in accordance with legal requirements.

For transfers to the USA, we primarily rely on the EU–U.S. Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the European Commission on 10 July 2023. In addition, we have concluded Standard Contractual Clauses (SCCs) with the respective providers, which comply with the European Commission’s requirements and set contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: the DPF forms the primary layer of protection, while the SCCs serve as an additional safeguard. Should changes affect the DPF, the SCCs function as a reliable fallback option. This ensures that your data remains adequately protected even amid political or legal changes.

For each service provider, we inform you whether they are certified under the DPF and whether SCCs are in place. Further information on the DPF and a list of certified companies can be found on the U.S. Department of Commerce website: https://www.dataprivacyframework.gov/ (in English).

For transfers to other third countries, appropriate safeguards apply, in particular SCCs, explicit consent, or transfers required by law. Information about third-country transfers and applicable adequacy decisions can be found on the European Commission’s website:
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de

General Information on Data Storage and Deletion
We delete personal data we process in accordance with legal requirements as soon as the underlying consents are revoked or no other legal basis for processing exists. This applies where the original processing purpose no longer exists or the data is no longer needed. Exceptions apply where legal obligations or specific interests require longer retention or archiving.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on retention and deletion that apply to specific processing operations.

Where multiple retention or deletion periods are stated for a dataset, the longest period applies. Data no longer retained for the original purpose but kept due to legal requirements or other reasons will be processed solely for the reasons justifying their retention.

Retention and deletion of data: The following general periods apply for retention and archiving under German law:

• 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheet, and the working and organizational documents required to understand them (Sec. 147(1) no. 1 in conjunction with (3) AO; Sec. 14b(1) UStG; Sec. 257(1) no. 1 in conjunction with (4) HGB).
• 8 years – Accounting vouchers, such as invoices and cost receipts (Sec. 147(1) nos. 4 and 4a in conjunction with (3) sentence 1 AO; Sec. 257(1) no. 4 in conjunction with (4) HGB).
• 6 years – Other business documents: received commercial or business letters, copies of sent commercial or business letters, and other documents relevant for taxation, e.g., timesheets, cost accounting sheets, calculation documents, price labels, and payroll records unless they are accounting vouchers, as well as cash register receipts (Sec. 147(1) nos. 2, 3, 5 in conjunction with (3) AO; Sec. 257(1) nos. 2 and 3 in conjunction with (4) HGB).
• 3 years – Data necessary to consider potential warranty and damages claims or similar contractual claims and rights and to process related inquiries, stored for the regular statutory limitation period of three years based on past business experience and industry practice (Secs. 195, 199 BGB).

Rights of Data Subjects
Rights under the GDPR: As a data subject, you have various rights under the GDPR, in particular those set out in Arts. 15 to 21 GDPR:

• Right to object: You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you that is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling to the extent related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw consent at any time.
• Right of access: You have the right to obtain confirmation as to whether data concerning you are being processed and to access such data and further information and copies thereof in accordance with legal requirements.
• Right to rectification: You have the right, in accordance with legal requirements, to request completion of data concerning you or the rectification of inaccurate data concerning you.
• Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request the immediate deletion of data concerning you or, alternatively, restriction of processing in accordance with legal requirements.
• Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format or to request transmission to another controller, in accordance with legal requirements.
• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Business Services
We process data of our contractual and business partners, e.g., customers and prospective customers (together referred to as “contractual partners”), within the framework of contractual and comparable legal relationships and associated measures and for communication with contractual partners (or pre-contractually), for example to respond to inquiries.

We use this data to fulfill our contractual obligations, in particular to provide the agreed services, fulfill any update obligations, and provide remedy in the event of warranty and other performance issues. We also use the data to safeguard our rights and for administrative tasks associated with these obligations as well as corporate organization. In addition, we process data based on our legitimate interests in proper and economically efficient business management and in security measures to protect our contractual partners and our business operations against misuse, threats to their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). In accordance with the applicable law, we only pass on data of contractual partners to third parties to the extent necessary for the purposes mentioned above or to comply with legal obligations. Contractual partners are informed about further forms of processing, e.g., for marketing purposes, within this privacy policy.

We inform contractual partners which data are required for the above purposes before or at the time of data collection, e.g., in online forms, through special markings (e.g., colors) or symbols (e.g., asterisks), or personally.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e., generally after four years, unless the data are stored in a customer account (e.g., as long as they must be archived for legal reasons, typically ten years for tax purposes). Data disclosed to us by the contractual partner in the context of an assignment will be deleted in accordance with the specifications and generally upon completion of the assignment.

• Types of data processed: Inventory data (e.g., full name, residential address, contact details, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or telephone numbers); contract data (e.g., subject matter, term, customer category); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication and process data (e.g., IP addresses, timestamps, identifiers, persons involved).
• Data subjects: Recipients of services and clients; prospective parties; business and contractual partners; education and course participants.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; communication; office and organizational procedures; organizational and administrative procedures; business processes and commercial procedures.
• Retention and deletion: Deletion in accordance with the section “General Information on Data Storage and Deletion.”
• Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Additional notes on processing operations, procedures, and services:

• Online shop, order forms, e-commerce and performance of services: We process customer data to enable selection, purchase/order of chosen products/goods and related services, as well as their payment and provision/delivery or execution. Where necessary for order fulfillment, we use service providers, especially postal, freight, and shipping companies, to deliver/perform services to our customers. We use banks and payment service providers to process payments. Required information is identified as such during the ordering or comparable acquisition process and includes the data necessary for delivery/provision and billing, as well as contact information to allow for queries; Legal basis: contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
• Educational and training services: We process the data of participants in our educational and training offerings (“trainees”) to provide our training services. The data processed, type, scope, purpose, and necessity of processing are determined by the underlying contractual and training relationship. Forms of processing include performance evaluation and assessment of our services and those of the instructors. In the course of our activities, we may also process special categories of data, particularly health data of trainees and data revealing ethnic origin, political opinions, religious or philosophical beliefs. Where necessary, we obtain the trainees’ explicit consent and otherwise process such special categories of data only where necessary to provide training services, for health care, social protection, or to protect the vital interests of the trainees; Legal basis: contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Provision of the Online Offering and Web Hosting
We process users’ data to provide our online services. For this purpose, we process users’ IP addresses, which are necessary to transmit the content and functions of our online services to users’ browsers or devices.

• Types of data processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication and process data (e.g., IP addresses, timestamps, identifiers, persons involved); log data (e.g., log files relating to logins, data retrievals, or access times); content data (e.g., text or image messages and posts, and related information such as authorship or time of creation).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical equipment such as computers, servers, etc.); security measures.
• Retention and deletion: Deletion in accordance with the section “General Information on Data Storage and Deletion.”
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Additional notes on processing operations, procedures, and services:

• Provision of the online offering on rented storage space: For providing our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a suitable server provider (“web host”); Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
• Collection of access data and log files: Access to our online offering is logged in the form of “server log files”. These may include the address and name of the retrieved websites and files, date and time of access, data volume transferred, report of successful retrieval, browser type and version, users’ operating system, referrer URL (the previously visited page), and typically IP addresses and the requesting provider. Server log files may be used for security purposes, e.g., to avoid server overload (especially in the case of abusive attacks such as DDoS attacks), and to ensure server load and stability; Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained as evidence are exempt from deletion until the incident is finally clarified.
• Email transmission and hosting: Our web hosting services also include sending, receiving, and storing emails. For these purposes, recipients’ and senders’ addresses as well as other information related to email transmission (e.g., the providers involved) and the contents of the emails are processed. The above data may also be processed for SPAM detection. Please note that emails are generally not sent encrypted on the Internet. While emails are usually encrypted during transport, they are typically not encrypted on the servers from which they are sent and received (unless end-to-end encryption is used). We cannot therefore take responsibility for the transmission path of emails between the sender and our server’s receipt; Legal basis: legitimate interests (Art. 6(1)(f) GDPR).

Use of Cookies
“Cookies” are functions that store and read information on users’ devices. Cookies can serve different purposes, e.g., to ensure the functionality, security, and comfort of online offerings, and to produce analyses of visitor flows. We use cookies in accordance with legal requirements. Where required, we obtain users’ prior consent. Where consent is not necessary, we rely on our legitimate interests. This applies where storing and reading information is essential to provide expressly requested content and functions—for example, saving settings, and ensuring the functionality and security of our online offering. Consent can be withdrawn at any time. We provide clear information about the scope and which cookies are used.

Notes on legal bases: Whether we process personal data using cookies depends on consent. If consent is given, it is the legal basis. Without consent, we rely on our legitimate interests as explained in this section and in the context of the respective services and procedures.

Storage duration: With regard to storage duration, the following types of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g., browser or mobile app).
• Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be saved and preferred content can be displayed directly when a user revisits a website. Usage data collected via cookies may also be used for reach measurement. Unless we provide explicit information on the type and storage duration of cookies (e.g., when obtaining consent), users should assume they are permanent and that storage duration can be up to two years.

General notes on withdrawal and objection (opt-out): Users may withdraw consents they have given at any time and may also object to processing in accordance with legal requirements, including via their browser privacy settings.

• Types of data processed: Meta, communication and process data (e.g., IP addresses, timestamps, identifiers, persons involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); consent (Art. 6(1)(a) GDPR).

Additional notes on processing operations, procedures, and services:

• Processing cookie data based on consent: We use a consent management solution to obtain users’ consent to the use of cookies or to the procedures and providers specified in the consent management solution. This procedure serves to obtain, log, manage, and withdraw consents, particularly related to the use of cookies and comparable technologies used to store, read, and process information on users’ devices. Within this procedure, users’ consents for the use of cookies and the associated processing of information, including the specific processing operations and providers named in the consent management process, are obtained. Users also have the option to manage and withdraw their consents. Consent statements are stored to avoid repeated queries and to demonstrate consent in accordance with legal requirements. Storage takes place server-side and/or in a cookie (opt-in cookie) or by comparable technologies to assign consent to a specific user or device. Unless specific providers of consent management services are named, the following general notes apply: The duration of consent storage is up to two years. A pseudonymous user identifier is created and stored together with the time of consent, details of the scope of consent (e.g., categories of cookies and/or service providers concerned), as well as information about the browser, system, and device used; Legal basis: consent (Art. 6(1)(a) GDPR).

Blogs and Publication Media
We use blogs or comparable means of online communication and publication (“publication media”). Readers’ data are processed for the purposes of the publication medium only to the extent necessary for its presentation and communication between authors and readers or for security reasons. Otherwise, we refer to the information on processing visitors to our publication medium within this privacy policy.

• Types of data processed: Inventory data (e.g., full name, residential address, contact details, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., text or image messages and posts, and related information such as authorship or time of creation); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication and process data (e.g., IP addresses, timestamps, identifiers, persons involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Feedback (e.g., collecting feedback via online form); provision of our online offering and user-friendliness; security measures; organizational and administrative procedures.
• Retention and deletion: Deletion in accordance with the section “General Information on Data Storage and Deletion.”
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Additional notes on processing operations, procedures, and services:

• Comments and posts: When users leave comments or other posts, their IP addresses may be stored based on our legitimate interests. This is for our security in case unlawful content is left in comments and posts (insults, prohibited political propaganda, etc.). In such cases, we can be held liable for the comment or post and therefore have an interest in the author’s identity. We also reserve the right, on the basis of our legitimate interests, to process users’ details for spam detection. On the same legal basis, in the case of surveys, we reserve the right to store users’ IP addresses for their duration and to use cookies to prevent multiple votes. The information provided within comments and posts—personal details, any contact and website information, and the content—will be stored by us permanently until users object; Legal basis: legitimate interests (Art. 6(1)(f) GDPR).

Contact and Inquiry Management
When contacting us (e.g., by post, contact form, email, telephone, or via social media) and within existing user and business relationships, information provided by the inquiring persons is processed to the extent necessary to respond to contact requests and any requested measures.

• Types of data processed: Inventory data (e.g., full name, residential address, contact details, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., text or image messages and posts, and related information such as authorship or time of creation); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication and process data (e.g., IP addresses, timestamps, identifiers, persons involved).
• Data subjects: Communication partners.
• Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online form); provision of our online offering and user-friendliness.
• Retention and deletion: Deletion in accordance with the section “General Information on Data Storage and Deletion.”
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Additional notes on processing operations, procedures, and services:

• Contact form: When contacting us via our contact form, email, or other communication channels, we process the personal data submitted to us to answer and handle the respective matter. This typically includes details such as name, contact information, and, where applicable, further information provided that is necessary for appropriate handling. We use this data exclusively for the stated purpose of contact and communication; Legal bases: contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Audio Content
We use hosting services from providers to offer our audio content for listening and download. We use platforms that allow uploading, storing, and distributing audio material.

• Types of data processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication and process data (e.g., IP addresses, timestamps, identifiers, persons involved); log data (e.g., log files relating to logins, data retrievals, or access times).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Reach measurement (e.g., access statistics, detection of returning visitors); conversion measurement (measuring the effectiveness of marketing measures); profiles with user-related information (creating user profiles); provision of our online offering and user-friendliness.
• Retention and deletion: Deletion in accordance with the section “General Information on Data Storage and Deletion.”
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Additional notes on processing operations, procedures, and services:

• Spotify: Podcast hosting, publication and management of podcast content, analysis of listening behavior and statistics, monetization options for podcasters; Provider: Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm, Sweden; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); Website: https://podcasters.spotify.com/ Privacy policy: https://www.spotify.com/de/legal/privacy-policy/

Newsletter and Electronic Notifications
We send newsletters, emails, and other electronic notifications (“newsletter”) only with recipients’ consent or on the basis of a legal permission. Where newsletter contents are specified during subscription, they are decisive for users’ consent. Normally, providing your email address is sufficient to subscribe. To provide a personalized service, we may ask for your name for personal salutation or for further information where necessary for the newsletter’s purpose.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to be able to prove previously given consent. Processing of this data is limited to the purpose of potential defense against claims. Individual deletion requests are possible at any time, provided the former existence of consent is confirmed. Where we are obliged to permanently respect objections, we reserve the right to store the email address solely for this purpose on a blocklist.

Logging of the subscription process is based on our legitimate interests for the purpose of proving proper execution. Where we engage a service provider to send emails, this is based on our legitimate interests in an efficient and secure sending system.

Contents: Information about us, our services, promotions, and offers.

• Types of data processed: Inventory data (e.g., full name, residential address, contact details, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers); meta, communication and process data (e.g., IP addresses, timestamps, identifiers, persons involved); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
• Data subjects: Communication partners.
• Purposes of processing: Direct marketing (e.g., by email or post).
• Legal bases: Consent (Art. 6(1)(a) GDPR).
• Opt-out: You may unsubscribe from our newsletter at any time, i.e., withdraw your consent or object to further receipt. A link to unsubscribe can be found at the end of each newsletter. You can also use any of the contact options above, preferably email.

Additional notes on processing operations, procedures, and services:

• Measurement of open and click rates: The newsletters contain a “web beacon,” i.e., a one-pixel file that is retrieved when the newsletter is opened from our server or, if we use a sending service provider, from their server. During this retrieval, technical information (e.g., about the browser and your system) as well as your IP address and the time of retrieval are collected. This information is used to technically improve our newsletter based on technical data or the target groups and their reading behavior, based on their retrieval locations (determinable using the IP address) or access times. The analysis also includes determining whether and when newsletters are opened and which links are clicked. The information is assigned to individual newsletter recipients and stored in their profiles until deletion. The evaluations serve to recognize our users’ reading habits and adapt our content to them or to send different content according to our users’ interests. The measurement of open and click rates and the storage of the measurement results in users’ profiles – This text section must be unlocked with a premium license. – [premium text placeholder]. Legal basis: consent (Art. 6(1)(a) GDPR).

Web Analytics, Monitoring and Optimization
Web analytics (also “reach measurement”) serves to evaluate visitor flows to our online offering and may include behavior, interests, or demographic information about visitors (e.g., age or gender) as pseudonymous values. With reach analysis, for example, we can recognize at which times our online offering or its functions and content are used most frequently or invite reuse. It also enables us to understand which areas require optimization.

In addition to web analytics, we may use testing procedures to test and optimize different versions of our online offering or its components.

Unless stated otherwise below, profiles (i.e., data summarized to a usage process) may be created, and information may be stored in a browser or device and then read. The data collected include, in particular, visited websites and elements used there, as well as technical details such as the browser used, the computer system, and information about usage times. Where users have consented to the collection of their location data to us or to providers of services we use, location data may also be processed.

IP addresses of users are also stored. However, we use IP masking (i.e., pseudonymization by shortening the IP address) to protect users. As a rule, no clear data of users (such as email addresses or names) are stored as part of web analytics, A/B testing, and optimization, but pseudonyms. This means that neither we nor the providers of the software used know users’ actual identity, only the data stored in their profiles for the purposes of the respective procedures.

Notes on legal bases: Where we ask users for their consent to use third-party providers, consent is the legal basis for processing. Otherwise, user data are processed based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication and process data (e.g., IP addresses, timestamps, identifiers, persons involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Reach measurement (e.g., access statistics, detection of returning visitors); profiles with user-related information (creating user profiles); provision of our online offering and user-friendliness.
• Retention and deletion: Deletion in accordance with the section “General Information on Data Storage and Deletion.” Storage of cookies up to 2 years (unless otherwise stated, cookies and similar storage methods can be stored on users’ devices for a period of two years).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Additional notes on processing operations, procedures, and services:

• Google Analytics: We use Google Analytics to measure and analyze the use of our online offering on the basis of a pseudonymous user ID. This ID does not contain unique data such as names or email addresses. It serves to assign analytics information to a device to recognize which content users have accessed within one or multiple usage sessions, which search terms they used, whether they returned, or how they interacted with our online offering. The time of use and its duration, as well as sources referring users to our online offering and technical aspects of their devices and browsers, are also stored. Pseudonymous profiles across devices may be created, and cookies may be used. Google Analytics does not log or store individual IP addresses for EU users. Analytics provides coarse geolocation data by deriving the following metadata from IP addresses: city (and derived latitude and longitude), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data are used only for deriving geolocation data before being immediately deleted. They are neither logged nor accessible and not used for other purposes. When Analytics collects measurement data, all IP queries are performed on EU-based servers before traffic is forwarded to Analytics servers for processing; Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking; Privacy policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Third-country transfer basis: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Opt-out: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad personalization settings: https://myadcenter.google.com/personalizationoff. More information: https://business.safety.google/adsservices/ (types of processing and processed data).

Presences on Social Networks (Social Media)
We maintain online presences within social networks and process user data in this context to communicate with active users there or to provide information about us.

Please note that user data may be processed outside the European Union. This may pose risks for users because, for example, it may make it more difficult to enforce users’ rights.

User data in social networks are also generally processed for market research and advertising purposes. For example, usage profiles may be created based on user behavior and resulting interests. These profiles may be used to display advertisements inside and outside the networks that likely correspond to users’ interests. Cookies are usually stored on users’ computers, where users’ behavior and interests are stored. Data can also be stored in usage profiles independently of the devices used by users (particularly if they are members of the respective platforms and logged in).

For a detailed description of the respective forms of processing and the opt-out options, please refer to the privacy policies and information provided by the operators of the respective networks.

In the case of access requests and the exercise of data subject rights, we point out that these are most effectively addressed to the providers. Only the providers have access to users’ data and can take direct measures and provide information. If you still need assistance, you can contact us.

• Types of data processed: Contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., text or image messages and posts and related information such as authorship or time of creation); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Communication; feedback (e.g., collecting feedback via online form); public relations.
• Retention and deletion: Deletion in accordance with the section “General Information on Data Storage and Deletion.”
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Additional notes on processing operations, procedures, and services:

• LinkedIn: Social network – We are jointly responsible with LinkedIn Ireland Unlimited Company for collecting (but not further processing) data of visitors used to create “Page Insights” (statistics) for our LinkedIn profiles. This data includes information about the types of content users view or interact with and actions they take. Details about devices used are also collected, such as IP addresses, operating system, browser type, language settings, and cookie data, as well as information from user profiles such as job function, country, industry, seniority, company size, and employment status. Information on LinkedIn’s processing of user data can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy. We have entered into a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum”, https://legal.linkedin.com/pages-joint-controller-addendum), which, in particular, sets out the security measures LinkedIn must observe and under which LinkedIn agrees to fulfill data subjects’ rights (i.e., users can address access or deletion requests directly to LinkedIn). Users’ rights (in particular, the right of access, deletion, objection, and to lodge a complaint with the competent supervisory authority) are not restricted by the agreement with LinkedIn. Joint controllership is limited to the collection and transmission of data to LinkedIn Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, particularly regarding the transfer of data to the parent company, LinkedIn Corporation, in the USA; Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Third-country transfer basis: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa). Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Plug-ins and Embedded Functions and Content
We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (“third-party providers”). These may include graphics, videos, or maps (collectively referred to as “content”).

Integration always requires that the third-party providers of this content process users’ IP addresses, since the content cannot be sent to users’ browsers without an IP address. The IP address is therefore required to display this content or functions. We endeavor to use only content whose providers use the IP address solely to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. “Pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on users’ devices and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit, and further details on the use of our online offering, and may also be combined with such information from other sources.

Notes on legal bases: Where we ask users for their consent to use third-party providers, consent is the legal basis for data processing. Otherwise, user data are processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication and process data (e.g., IP addresses, timestamps, identifiers, persons involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness.
• Retention and deletion: Deletion in accordance with the section “General Information on Data Storage and Deletion.” Storage of cookies up to 2 years (unless otherwise stated, cookies and similar storage methods can be stored on users’ devices for a period of two years).
• Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Additional notes on processing operations, procedures, and services:

• Google Fonts (retrieval from Google server): Retrieval of fonts (and icons) for a technically secure, maintenance-free, and efficient use of fonts and icons with respect to currency and loading times, their uniform display, and consideration of possible license restrictions. The provider of the fonts is informed of the user’s IP address so that the fonts can be provided in the user’s browser. Technical data (language settings, screen resolution, operating system, hardware used) necessary to provide the fonts depending on the devices and technical environment are also transmitted. This data may be processed on a server of the font provider in the USA. When visiting our online offering, users’ browsers send HTTP requests to the Google Fonts Web API (a software interface for retrieving fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) of Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the user to access the internet, (2) the requested URL on Google’s server, and (3) HTTP headers, including the user agent describing the website visitor’s browser and operating system versions, and the referrer URL (i.e., the webpage on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers and are not analyzed. The Google Fonts Web API logs details of HTTP requests (requested URL, user agent, and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families that the user wants to load. These data are logged so that Google can determine how often a particular font family is requested. For the Google Fonts Web API, the user agent must adapt the font generated for the respective browser type. The user agent is primarily logged for debugging and to generate aggregated usage statistics measuring the popularity of font families. These aggregated usage statistics are published on the “Analytics” page of Google Fonts. Finally, the referrer URL is logged so that the data can be used for production maintenance and an aggregated report of the top integrations can be generated based on the number of font requests. According to Google, none of the information collected by Google Fonts is used to create profiles of end users or to serve targeted ads; Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); Website: https://fonts.google.com/; Privacy policy: https://policies.google.com/privacy; Third-country transfer basis: Data Privacy Framework (DPF). Further information: https://developers.google.com/fonts/faq/privacy?hl=de

Created with the free Datenschutz-Generator.de by Dr. Thomas Schwenke (in German).