Preamble

Table of contents

• Pre­am­ble
• Legal Bases for the Pro­cess­ing
• Secu­ri­ty Pre­cau­tions
• Trans­mis­sion of Per­son­al Data
• Data Pro­cess­ing in Third Coun­tries
• Era­sure of data
• Use of Cook­ies
• Busi­ness ser­vices
• Pro­vi­sion of online ser­vices and web host­ing
• Spe­cial Notes on Appli­ca­tions (Apps)
• Cloud Ser­vices
• Newslet­ter and Elec­tron­ic Com­mu­ni­ca­tions
• Sweep­stakes and Con­tests
• Pro­files in Social Net­works (Social Media)
• Plu­g­ins and embed­ded func­tions and con­tent
• Man­age­ment, Orga­ni­za­tion and Util­i­ties
• Changes and Updates to the Pri­va­cy Pol­i­cy
• Rights of Data Sub­jects
• Ter­mi­nol­o­gy and Def­i­n­i­tions

Legal Bases for the Processing

• Con­sent (Arti­cle 6 (1) (a) GDPR) — The data sub­ject has giv­en con­sent to the pro­cess­ing of his or her per­son­al data for one or more spe­cif­ic pur­pos­es.
• Per­for­mance of a con­tract and pri­or requests (Arti­cle 6 (1) (b) GDPR) — Per­for­mance of a con­tract to which the data sub­ject is par­ty or in order to take steps at the request of the data sub­ject pri­or to enter­ing into a con­tract.
• Com­pli­ance with a legal oblig­a­tion (Arti­cle 6 (1) © GDPR) — Pro­cess­ing is nec­es­sary for com­pli­ance with a legal oblig­a­tion to which the con­troller is sub­ject.
• Legit­i­mate Inter­ests (Arti­cle 6 (1) (f) GDPR) — Pro­cess­ing is nec­es­sary for the pur­pos­es of the legit­i­mate inter­ests pur­sued by the con­troller or by a third par­ty, except where such inter­ests are over­rid­den by the inter­ests or fun­da­men­tal rights and free­doms of the data sub­ject which require pro­tec­tion of per­son­al data.

Security Precautions

Transmission of Personal Data

Data Processing in Third Countries

Erasure of data

Use of Cookies

• Tem­po­rary cook­ies (also known as “ses­sion cook­ies”): Tem­po­rary cook­ies are delet­ed at the lat­est after a user has left an online ser­vice and closed his or her end device (i.e. brows­er or mobile appli­ca­tion). 
• Per­ma­nent cook­ies: Per­ma­nent cook­ies remain stored even after the ter­mi­nal device is closed. For exam­ple, the login sta­tus can be saved, or pre­ferred con­tent can be dis­played direct­ly when the user vis­its a web­site again. Like­wise, user data col­lect­ed with the help of cook­ies can be used for reach mea­sure­ment. Unless we pro­vide users with explic­it infor­ma­tion about the type and stor­age dura­tion of cook­ies (e.g., as part of obtain­ing con­sent), users should assume that cook­ies are per­ma­nent and that the stor­age peri­od can be up to two years.

• Pro­cess­ing Cook­ie Data on the Basis of Con­sent: We use a cook­ie man­age­ment solu­tion in which users’ con­sent to the use of cook­ies, or the pro­ce­dures and providers men­tioned in the cook­ie man­age­ment solu­tion, can be obtained, man­aged and revoked by the users. The dec­la­ra­tion of con­sent is stored so that it does not have to be retrieved again and the con­sent can be proven in accor­dance with the legal oblig­a­tion. Stor­age can take place serv­er-sided and/or in a cook­ie (so-called opt-out cook­ie or with the aid of com­pa­ra­ble tech­nolo­gies) in order to be able to assign the con­sent to a user or and/or his/her device. Sub­ject to indi­vid­ual details of the providers of cook­ie man­age­ment ser­vices, the fol­low­ing infor­ma­tion applies: The dura­tion of the stor­age of the con­sent can be up to two years. In this case, a pseu­do­ny­mous user iden­ti­fi­er is formed and stored with the date/time of con­sent, infor­ma­tion on the scope of the con­sent (e.g. which cat­e­gories of cook­ies and/or ser­vice providers) as well as the brows­er, sys­tem and used end device.

Business services

• Processed data types: Inven­to­ry data (e.g. names, address­es); Pay­ment Data (e.g. bank details, invoic­es, pay­ment his­to­ry); Con­tact data (e.g. e‑mail, tele­phone num­bers); Con­tract data (e.g. con­tract object, dura­tion, cus­tomer cat­e­go­ry).
• Data sub­jects: Prospec­tive cus­tomers; Busi­ness and con­trac­tu­al part­ners.
• Pur­pos­es of Pro­cess­ing: Pro­vi­sion of con­trac­tu­al ser­vices and cus­tomer sup­port; Con­tact requests and com­mu­ni­ca­tion; Office and organ­i­sa­tion­al pro­ce­dures; Man­ag­ing and respond­ing to inquiries.
• Legal Basis: Per­for­mance of a con­tract and pri­or requests (Arti­cle 6 (1) (b) GDPR); Com­pli­ance with a legal oblig­a­tion (Arti­cle 6 (1) © GDPR); Legit­i­mate Inter­ests (Arti­cle 6 (1) (f) GDPR).

Provision of online services and web hosting

• Processed data types: Con­tent data (e.g. text input, pho­tographs, videos); Usage data (e.g. web­sites vis­it­ed, inter­est in con­tent, access times); Meta/communication data (e.g. device infor­ma­tion, IP address­es).
• Data sub­jects: Users (e.g. web­site vis­i­tors, users of online ser­vices).
• Pur­pos­es of Pro­cess­ing: Pro­vi­sion of our online ser­vices and usabil­i­ty.
• Legal Basis: Legit­i­mate Inter­ests (Arti­cle 6 (1) (f) GDPR).

• E‑mail Send­ing and Host­ing: The web host­ing ser­vices we use also include send­ing, receiv­ing and stor­ing e‑mails. For these pur­pos­es, the address­es of the recip­i­ents and senders, as well as oth­er infor­ma­tion relat­ing to the send­ing of e‑mails (e.g. the providers involved) and the con­tents of the respec­tive e‑mails are processed. The above data may also be processed for SPAM detec­tion pur­pos­es. Please note that e‑mails on the Inter­net are gen­er­al­ly not sent in encrypt­ed form. As a rule, e‑mails are encrypt­ed dur­ing trans­port, but not on the servers from which they are sent and received (unless a so-called end-to-end encryp­tion method is used). We can there­fore accept no respon­si­bil­i­ty for the trans­mis­sion path of e‑mails between the sender and recep­tion on our serv­er.
• Col­lec­tion of Access Data and Log Files: We, our­selves or our web host­ing provider, col­lect data on the basis of each access to the serv­er (so-called serv­er log files). Serv­er log files may include the address and name of the web pages and files accessed, the date and time of access, data vol­umes trans­ferred, noti­fi­ca­tion of suc­cess­ful access, brows­er type and ver­sion, the user’s oper­at­ing sys­tem, refer­rer URL (the pre­vi­ous­ly vis­it­ed page) and, as a gen­er­al rule, IP address­es and the request­ing provider. The serv­er log files can be used for secu­ri­ty pur­pos­es, e.g. to avoid over­load­ing the servers (espe­cial­ly in the case of abu­sive attacks, so-called DDoS attacks) and to ensure the sta­bil­i­ty and opti­mal load bal­anc­ing of the servers; Reten­tion peri­od: Log file infor­ma­tion is stored for a max­i­mum peri­od of 30 days and then delet­ed or anonymized. Data, the fur­ther stor­age of which is nec­es­sary for evi­dence pur­pos­es, are exclud­ed from dele­tion until the respec­tive inci­dent has been final­ly clar­i­fied.
• Con­tent-Deliv­ery-Net­work: We use a so-called “Con­tent Deliv­ery Net­work” (CDN). A CDN is a ser­vice with whose help con­tents of our online ser­vices, in par­tic­u­lar large media files, such as graph­ics or scripts, can be deliv­ered faster and more secure­ly with the help of region­al­ly dis­trib­uted servers con­nect­ed via the Inter­net.

Special Notes on Applications (Apps)

• Processed data types: Inven­to­ry data (e.g. names, address­es); Meta/communication data (e.g. device infor­ma­tion, IP address­es); Pay­ment Data (e.g. bank details, invoic­es, pay­ment his­to­ry); Con­tract data (e.g. con­tract object, dura­tion, cus­tomer cat­e­go­ry).
• Data sub­jects: Users (e.g. web­site vis­i­tors, users of online ser­vices).
• Pur­pos­es of Pro­cess­ing: Pro­vi­sion of con­trac­tu­al ser­vices and cus­tomer sup­port.
• Legal Basis: Con­sent (Arti­cle 6 (1) (a) GDPR); Per­for­mance of a con­tract and pri­or requests (Arti­cle 6 (1) (b) GDPR); Legit­i­mate Inter­ests (Arti­cle 6 (1) (f) GDPR).

• Com­mer­cial use: We process the data of the users of our appli­ca­tion, reg­is­tered and any test users (here­inafter uni­form­ly referred to as “users”) in order to pro­vide them with our con­trac­tu­al ser­vices and on the basis of legit­i­mate inter­ests to ensure the secu­ri­ty of our appli­ca­tion and to devel­op it fur­ther. The required details are iden­ti­fied as such with­in the scope of the con­clu­sion of a con­tract for the use of the appli­ca­tion, the con­clu­sion of an order, an order or a com­pa­ra­ble con­tract and may include the details required for the pro­vi­sion of ser­vices and any invoic­ing as well as con­tact infor­ma­tion in order to be able to hold any con­sul­ta­tions.
• Stor­age of the uni­ver­sal­ly unique iden­ti­fi­er (UUID): The appli­ca­tion stores a so-called Uni­ver­sal­ly Unique Iden­ti­fi­er (UUID) for the pur­pose of analysing the use and func­tion­al­i­ty of the appli­ca­tion and stor­ing the user’s set­tings. This iden­ti­fi­er is gen­er­at­ed when the appli­ca­tion is installed (but is not con­nect­ed to the device, so no device ID in this sense), remains stored between the start of the appli­ca­tion and its updates and is delet­ed when users remove the appli­ca­tion from their device.
• Stor­age of an own unique iden­ti­fi­er: In order to pro­vide the appli­ca­tion and ensure its func­tion­al­i­ty, we use a pseu­do­ny­mous iden­ti­fi­er. The iden­ti­fi­er is a math­e­mat­i­cal val­ue (i.e. no clear data such as names are used) that is assigned to a device and/or the instal­la­tion of the appli­ca­tion installed on it. This iden­ti­fi­er is gen­er­at­ed dur­ing the instal­la­tion of the appli­ca­tion, remains stored between the start of the appli­ca­tion and its updates and is delet­ed when users remove the appli­ca­tion from the device.
• Loca­tion his­to­ry and move­ment pro­files: The loca­tion data is only used selec­tive­ly and is not processed to cre­ate a loca­tion his­to­ry or a move­ment pro­file of the devices used or of their users.

Cloud Services

• Processed data types: Inven­to­ry data (e.g. names, address­es); Con­tact data (e.g. e‑mail, tele­phone num­bers); Con­tent data (e.g. text input, pho­tographs, videos); Usage data (e.g. web­sites vis­it­ed, inter­est in con­tent, access times); Meta/communication data (e.g. device infor­ma­tion, IP address­es).
• Data sub­jects: Cus­tomers; Employ­ees (e.g. Employ­ees, job appli­cants); Prospec­tive cus­tomers; Com­mu­ni­ca­tion part­ner (Recip­i­ents of e‑mails, let­ters, etc.).
• Pur­pos­es of Pro­cess­ing: Office and organ­i­sa­tion­al pro­ce­dures.
• Legal Basis: Con­sent (Arti­cle 6 (1) (a) GDPR); Per­for­mance of a con­tract and pri­or requests (Arti­cle 6 (1) (b) GDPR); Legit­i­mate Inter­ests (Arti­cle 6 (1) (f) GDPR).

• Drop­box: Cloud stor­age ser­vice; Ser­vice provider: Drop­box, Inc., 333 Bran­nan Street, San Fran­cis­co, Cal­i­for­nia 94107, USA; Web­site: https://www.dropbox.com; Pri­va­cy Pol­i­cy: https://www.dropbox.com/privacy.
• Team­Drive: Cloud stor­age ser­vice; Ser­vice provider: Team­Drive Sys­tems GmbH, Max-Brauer-Allee 50, 22765 Ham­burg, Ger­many; Web­site: https://teamdrive.com/en; Terms & Con­di­tions: https://teamdrive.com/en/privacy-policy/.
• Trel­lo: Project man­age­ment tool; Ser­vice provider: Trel­lo Inc., 55 Broad­way New York, NY 10006, USA, par­ent com­pa­ny: Atlass­ian Inc. (San Fran­cis­co, Har­ri­son Street Loca­tion), 1098 Har­ri­son Street, San Fran­cis­co, Cal­i­for­nia 94103, USA; Web­site: https://trello.com/; Pri­va­cy Pol­i­cy: https://trello.com/privacy; Stan­dard Con­trac­tu­al Claus­es (Safe­guard­ing the lev­el of data pro­tec­tion when pro­cess­ing data in third coun­tries): https://www.atlassian.com/legal/data-processing-addendum; Fur­ther Infor­ma­tion: Data Trans­fer Impact Assess­ment: https://www.atlassian.com/legal/data-transfer-impact-assessment.

Newsletter and Electronic Communications

• Processed data types: Inven­to­ry data (e.g. names, address­es); Con­tact data (e.g. e‑mail, tele­phone num­bers); Meta/communication data (e.g. device infor­ma­tion, IP address­es); Usage data (e.g. web­sites vis­it­ed, inter­est in con­tent, access times).
• Data sub­jects: Com­mu­ni­ca­tion part­ner (Recip­i­ents of e‑mails, let­ters, etc.).
• Pur­pos­es of Pro­cess­ing: Direct mar­ket­ing (e.g. by e‑mail or postal).
• Legal Basis: Con­sent (Arti­cle 6 (1) (a) GDPR); Legit­i­mate Inter­ests (Arti­cle 6 (1) (f) GDPR).
• Opt-Out: You can can­cel the receipt of our newslet­ter at any time, i.e. revoke your con­sent or object to fur­ther receipt. You will find a link to can­cel the newslet­ter either at the end of each newslet­ter or you can oth­er­wise use one of the con­tact options list­ed above, prefer­ably e‑mail.

• Mailchimp: Email dis­tri­b­u­tion and email mar­ket­ing plat­form; Ser­vice provider: “Mailchimp” — Rock­et Sci­ence Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA; Web­site: https://mailchimp.com; Pri­va­cy Pol­i­cy: https://mailchimp.com/legal/privacy/; Stan­dard Con­trac­tu­al Claus­es (Safe­guard­ing the lev­el of data pro­tec­tion when pro­cess­ing data in third coun­tries): https://mailchimp.com/legal/data-processing-addendum/; Fur­ther Infor­ma­tion: Spe­cial safe­ty mea­sures: https://mailchimp.com/help/Mailchimp-european-data-transfers/.

Sweepstakes and Contests

• Processed data types: Inven­to­ry data (e.g. names, address­es); Con­tent data (e.g. text input, pho­tographs, videos).
• Data sub­jects: Par­tic­i­pants in sweep­stakes and com­pe­ti­tions.
• Pur­pos­es of Pro­cess­ing: Con­duct­ing sweep­stakes and con­tests.
• Legal Basis: Per­for­mance of a con­tract and pri­or requests (Arti­cle 6 (1) (b) GDPR).

Profiles in Social Networks (Social Media)

• Processed data types: Con­tact data (e.g. e‑mail, tele­phone num­bers); Con­tent data (e.g. text input, pho­tographs, videos); Usage data (e.g. web­sites vis­it­ed, inter­est in con­tent, access times); Meta/communication data (e.g. device infor­ma­tion, IP address­es).
• Data sub­jects: Users (e.g. web­site vis­i­tors, users of online ser­vices).
• Pur­pos­es of Pro­cess­ing: Con­tact requests and com­mu­ni­ca­tion; Feed­back (e.g. col­lect­ing feed­back via online form); Mar­ket­ing.
• Legal Basis: Legit­i­mate Inter­ests (Arti­cle 6 (1) (f) GDPR).

• Insta­gram: Social net­work; Ser­vice provider: Insta­gram Inc., 1601 Wil­low Road, Men­lo Park, CA, 94025, USA; Web­site: https://www.instagram.com; Pri­va­cy Pol­i­cy: https://instagram.com/about/legal/privacy.
• Twit­ter: Social net­work; Ser­vice provider: Twit­ter Inter­na­tion­al Com­pa­ny, One Cum­ber­land Place, Fen­ian Street, Dublin 2 D02 AX07, Ire­land, par­ent com­pa­ny: Twit­ter Inc., 1355 Mar­ket Street, Suite 900, San Fran­cis­co, CA 94103, USA; Pri­va­cy Pol­i­cy: https://twitter.com/privacy, (Set­tings: https://twitter.com/personalization).
• Dis­cord: Instant mes­sag­ing, chat, voice and video con­fer­enc­ing; Ser­vice provider: Dis­cord, Inc., 444 De Haro St, Suite 200, San Fran­cis­co, Cal­i­for­nia 94107, USA; Web­site: https://discordapp.com/; Pri­va­cy Pol­i­cy: https://discordapp.com/privacy.

Plugins and embedded functions and content

• Processed data types: Usage data (e.g. web­sites vis­it­ed, inter­est in con­tent, access times); Meta/communication data (e.g. device infor­ma­tion, IP address­es).
• Data sub­jects: Users (e.g. web­site vis­i­tors, users of online ser­vices).
• Pur­pos­es of Pro­cess­ing: Pro­vi­sion of our online ser­vices and usabil­i­ty; Pro­vi­sion of con­trac­tu­al ser­vices and cus­tomer sup­port.
• Legal Basis: Legit­i­mate Inter­ests (Arti­cle 6 (1) (f) GDPR).

• Google Fonts: We inte­grate the fonts (“Google Fonts”) of the provider Google, where­by the data of the users are used sole­ly for pur­pos­es of the rep­re­sen­ta­tion of the fonts in the brows­er of the users. The inte­gra­tion takes place on the basis of our legit­i­mate inter­ests in a tech­ni­cal­ly secure, main­te­nance-free and effi­cient use of fonts, their uni­form pre­sen­ta­tion and con­sid­er­a­tion of pos­si­ble licens­ing restric­tions for their inte­gra­tion; Ser­vice provider: Google Ire­land Lim­it­ed, Gor­don House, Bar­row Street, Dublin 4, Ire­land, par­ent com­pa­ny: Google LLC, 1600 Amphithe­atre Park­way, Moun­tain View, CA 94043, USA; Web­site: https://fonts.google.com/; Pri­va­cy Pol­i­cy: https://policies.google.com/privacy.

Management, Organization and Utilities

• Processed data types: Inven­to­ry data (e.g. names, address­es); Con­tact data (e.g. e‑mail, tele­phone num­bers); Con­tent data (e.g. text input, pho­tographs, videos); Usage data (e.g. web­sites vis­it­ed, inter­est in con­tent, access times); Meta/communication data (e.g. device infor­ma­tion, IP address­es).
• Data sub­jects: Com­mu­ni­ca­tion part­ner (Recip­i­ents of e‑mails, let­ters, etc.); Users (e.g. web­site vis­i­tors, users of online ser­vices).
• Legal Basis: Con­sent (Arti­cle 6 (1) (a) GDPR); Per­for­mance of a con­tract and pri­or requests (Arti­cle 6 (1) (b) GDPR); Legit­i­mate Inter­ests (Arti­cle 6 (1) (f) GDPR).

• Trel­lo: Project man­age­ment tool; Ser­vice provider: Trel­lo Inc., 55 Broad­way New York, NY 10006, USA, par­ent com­pa­ny: Atlass­ian Inc. (San Fran­cis­co, Har­ri­son Street Loca­tion), 1098 Har­ri­son Street, San Fran­cis­co, Cal­i­for­nia 94103, USA; Web­site: https://trello.com/; Pri­va­cy Pol­i­cy: https://trello.com/privacy; Stan­dard Con­trac­tu­al Claus­es (Safe­guard­ing the lev­el of data pro­tec­tion when pro­cess­ing data in third coun­tries): https://www.atlassian.com/legal/data-processing-addendum; Fur­ther Infor­ma­tion: Data Trans­fer Impact Assess­ment: https://www.atlassian.com/legal/data-transfer-impact-assessment.

Changes and Updates to the Privacy Policy

Rights of Data Subjects

• Right to Object: You have the right, on grounds aris­ing from your par­tic­u­lar sit­u­a­tion, to object at any time to the pro­cess­ing of your per­son­al data which is based on let­ter (e) or (f) of Arti­cle 6(1) GDPR, includ­ing pro­fil­ing based on those pro­vi­sions. Where per­son­al data are processed for direct mar­ket­ing pur­pos­es, you have the right to object at any time to the pro­cess­ing of the per­son­al data con­cern­ing you for the pur­pose of such mar­ket­ing, which includes pro­fil­ing to the extent that it is relat­ed to such direct mar­ket­ing.
• Right of with­draw­al for con­sents: You have the right to revoke con­sents at any time.
• Right of access: You have the right to request con­fir­ma­tion as to whether the data in ques­tion will be processed and to be informed of this data and to receive fur­ther infor­ma­tion and a copy of the data in accor­dance with the pro­vi­sions of the law.
• Right to rec­ti­fi­ca­tion: You have the right, in accor­dance with the law, to request the com­ple­tion of the data con­cern­ing you or the rec­ti­fi­ca­tion of the incor­rect data con­cern­ing you.
• Right to Era­sure and Right to Restric­tion of Pro­cess­ing: In accor­dance with the statu­to­ry pro­vi­sions, you have the right to demand that the rel­e­vant data be erased imme­di­ate­ly or, alter­na­tive­ly, to demand that the pro­cess­ing of the data be restrict­ed in accor­dance with the statu­to­ry pro­vi­sions.
• Right to data porta­bil­i­ty: You have the right to receive data con­cern­ing you which you have pro­vid­ed to us in a struc­tured, com­mon and machine-read­able for­mat in accor­dance with the legal require­ments, or to request its trans­mis­sion to anoth­er con­troller.
• Com­plaint to the super­vi­so­ry author­i­ty: In accor­dance with the law and with­out prej­u­dice to any oth­er admin­is­tra­tive or judi­cial rem­e­dy, you also have the right to lodge a com­plaint with a data pro­tec­tion super­vi­so­ry author­i­ty, in par­tic­u­lar a super­vi­so­ry author­i­ty in the Mem­ber State where you habit­u­al­ly reside, the super­vi­so­ry author­i­ty of your place of work or the place of the alleged infringe­ment, if you con­sid­er that the pro­cess­ing of per­son­al data con­cern­ing you infringes the GDPR.

Terminology and Definitions

• Con­troller: “Con­troller” means the nat­ur­al or legal per­son, pub­lic author­i­ty, agency or oth­er body which, alone or joint­ly with oth­ers, deter­mines the pur­pos­es and means of the pro­cess­ing of per­son­al data.
• Per­son­al Data: “per­son­al data” means any infor­ma­tion relat­ing to an iden­ti­fied or iden­ti­fi­able nat­ur­al per­son (“data sub­ject”); an iden­ti­fi­able nat­ur­al per­son is one who can be iden­ti­fied, direct­ly or indi­rect­ly, in par­tic­u­lar by ref­er­ence to an iden­ti­fi­er such as a name, an iden­ti­fi­ca­tion num­ber, loca­tion data, an online iden­ti­fi­er or to one or more fac­tors spe­cif­ic to the phys­i­cal, phys­i­o­log­i­cal, genet­ic, men­tal, eco­nom­ic, cul­tur­al or social iden­ti­ty of that nat­ur­al per­son.
• Pro­cess­ing: The term “pro­cess­ing” cov­ers a wide range and prac­ti­cal­ly every han­dling of data, be it col­lec­tion, eval­u­a­tion, stor­age, trans­mis­sion or era­sure.