Privacy Policy

This Privacy Policy informs you about the nature, scope, and purpose of the processing of personal data (hereinafter briefly referred to as “Data”) within the context of the provision of our services, as well as within our online offering—including the associated websites, features, and content—and our external online presences, such as our social media profiles (hereinafter collectively referred to as the “Online Offering”). With regard to the terminology used herein—such as “processing” or “controller”—we refer to the definitions set forth in Article 4 of the General Data Protection Regulation (GDPR).

Responsible Party

Tanja Bochnig / April Aromatics
Rüdesheimer Straße 8
14197 Berlin
Germany

Email: info@aprilaromatics.com
Owner: Tanja Bochnig
Impressum: https://aprilaromatics.com/impressum

Types of Data Processed

  • Inventory data (e.g., master data, names, or addresses).
  • Contact data (e.g., email, phone numbers).
  • Content data (e.g., text entries, photographs, videos).
  • Usage data (e.g., visited websites, interest in content, access times).
  • Meta/communication data (e.g., device information, IP addresses).

Categories of Data Subjects

Visitors and users of the online service (hereinafter, we collectively refer to the affected persons as “Users”).

Purpose of Processing

– Provision of the online offering, its functions, and content.
– Responding to contact inquiries and communicating with users.
– Security measures.
– Reach measurement/Marketing.

Terminology Used

“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing” means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad in scope and encompasses practically every form of handling data.

“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures ensuring that the personal data are not attributed to an identified or identifiable natural person.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Applicable Legal Bases

In accordance with Art. 13 of the GDPR, we hereby inform you of the legal bases for our data processing activities. For users residing within the scope of application of the General Data Protection Regulation (GDPR)—i.e., the EU and the EEA—the following applies, provided that the specific legal basis is not explicitly stated in this Privacy Policy:
The legal basis for obtaining consent is Art. 6 para. 1 lit. a and Art. 7 of the GDPR;
The legal basis for processing data for the fulfillment of our services, the execution of contractual measures, and the handling of inquiries is Art. 6 para. 1 lit. b of the GDPR;
The legal basis for processing data to fulfill our legal obligations is Art. 6 para. 1 lit. c of the GDPR;
In the event that the vital interests of the data subject or of another natural person necessitate the processing of personal data, Art. 6 para. 1 lit. d of the GDPR serves as the legal basis;
The legal basis for processing necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller, is Art. 6 para. 1 lit. e of the GDPR;
The legal basis for processing data to safeguard our legitimate interests is Art. 6 para. 1 lit. f of the GDPR;
The processing of data for purposes other than those for which it was originally collected is governed by the provisions of Art. 6 para. 4 of the GDPR;
The processing of special categories of data (pursuant to Art. 9 para. 1 of the GDPR) is governed by the provisions of Art. 9 para. 2 of the GDPR.

Security Measures

In accordance with statutory requirements—and taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons—we implement appropriate technical and organizational measures to ensure a level of security commensurate with the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as access, input, transmission, availability, and segregation related to it. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and the response to data security incidents. Moreover, we incorporate the protection of personal data into the design and selection of hardware, software, and procedures—in accordance with the principles of data protection by design and by default.

Collaboration with Processors, Joint Controllers, and Third Parties

Insofar as we, in the course of our processing activities, disclose data to other persons or companies (processors, joint controllers, or third parties), transmit such data to them, or otherwise grant them access to the data, this is done only on the basis of a legal permission (e.g., where the transmission of data to third parties—such as payment service providers—is necessary for the fulfillment of a contract), where users have consented, where a legal obligation so requires, or on the basis of our legitimate interests (e.g., when engaging agents, web hosting providers, etc.).

Insofar as we disclose data to other companies within our corporate group, transmit such data, or otherwise grant them access, this is done in particular for administrative purposes—constituting a legitimate interest—and, furthermore, on a basis that complies with statutory requirements.

Transfers to Third Countries

Insofar as we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA), or the Swiss Confederation)—or if such processing occurs within the context of using third-party services or disclosing/transferring data to other persons or entities—this takes place only if it is necessary for the fulfillment of our (pre-)contractual obligations, based on your consent, due to a legal obligation, or based on our legitimate interests. Subject to explicit consent or a transfer required by contract, we process—or have processed—data in third countries only if they maintain a recognized level of data protection (including US processors certified under the “Privacy Shield”) or if the processing is based on specific safeguards, such as contractual obligations established through so-called Standard Contractual Clauses issued by the EU Commission, the existence of certifications, or binding corporate rules (Articles 44 to 49 GDPR; see the EU Commission’s information page).

Rights of Data Subjects

Right of Access: You have the right to request confirmation as to whether data concerning you is being processed, as well as access to such data, further information, and a copy of the data, in accordance with statutory requirements.

Right to Rectification: In accordance with statutory requirements, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.

Right to Erasure and Restriction of Processing: In accordance with statutory requirements, you have the right to request that data concerning you be erased without undue delay, or, alternatively, to request a restriction of the processing of such data.

Right to Data Portability: In accordance with statutory requirements, you have the right to receive data concerning you—which you have provided to us—in a structured, commonly used, and machine-readable format, or to request its transmission to another controller.

Right to Lodge a Complaint with a Supervisory Authority: Furthermore, in accordance with statutory requirements, you have the right to lodge a complaint with the competent supervisory authority.

Right of Withdrawal

You have the right to revoke granted consents with effect for the future.

Right to Object

Right to Object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.

Cookies and Right to Object to Direct Marketing

“Cookies” are small files that are stored on users’ computers. Various types of information can be stored within these cookies. The primary purpose of a cookie is to store information regarding a specific user (or the device on which the cookie is stored) during—or even after—their visit to an online service. Cookies that are deleted after a user leaves an online service and closes their browser are referred to as temporary cookies, “session cookies,” or “transient cookies.” Such a cookie may, for example, store the contents of a shopping cart in an online store or a user’s login status. Cookies that remain stored even after the browser has been closed are referred to as “permanent” or “persistent” cookies. This allows, for instance, a user’s login status to be retained when they revisit the site after several days. Similarly, such cookies may store user interests, which are then used for audience measurement or marketing purposes. Cookies provided by providers other than the controller operating the online service are referred to as “third-party cookies” (conversely, if the cookies originate solely from the controller, they are referred to as “first-party cookies”).

We may utilize both temporary and permanent cookies, and we provide further details regarding this within the scope of our Privacy Policy.

In instances where we request users’ consent for the use of cookies (e.g., via a cookie consent banner), the legal basis for such processing is Art. 6 Para. 1 lit. a of the GDPR. Otherwise—and in accordance with the subsequent explanations provided within this Privacy Policy—users’ personal data processed via cookies is handled on the basis of our legitimate interests (i.e., our interest in the analysis, optimization, and economic operation of our online service, pursuant to Art. 6 Para. 1 lit. f of the GDPR), or—where the use of cookies is necessary for the provision of our contractual services—pursuant to Art. 6 Para. 1 lit. b of the GDPR. …processed in accordance with the GDPR—specifically, pursuant to Art. 6 Para. 1 lit. e of the GDPR, insofar as the use of cookies is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

If users do not wish for cookies to be stored on their computer, they are requested to deactivate the corresponding option in their browser’s system settings. Stored cookies can be deleted via the browser’s system settings. Disabling cookies may result in functional limitations of this online service.

A general objection to the use of cookies employed for online marketing purposes—particularly in the case of tracking—can be declared for a wide range of services via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be prevented by disabling them within the browser settings. Please note that, in this case, it may not be possible to utilize all the features of this online service.

Deletion of Data

The data we process is deleted or its processing restricted in accordance with statutory requirements. Unless expressly stated otherwise within the scope of this Privacy Policy, data stored by us will be deleted as soon as it is no longer required for its intended purpose and provided that no statutory retention obligations prevent such deletion.

If data is not deleted because it is required for other, legally permissible purposes, its processing will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax-related reasons.

Changes and Updates to the Privacy Policy

We ask that you regularly review the content of our Privacy Policy. We update the Privacy Policy whenever changes to our data processing activities make this necessary. We will inform you whenever such changes require an action on your part (e.g., providing consent) or necessitate any other individual notification.

Business-related processing

Additionally, we process:

  • Contract data (e.g., subject matter of the contract, term, customer category)
  • Payment data (e.g., bank details, payment history)
    from our customers,

prospective customers, and business partners for the purpose of providing contractual services, customer service and support, marketing, advertising, and market research.

Order Processing in the Online Shop and Customer Account

We process our customers’ data within the scope of the ordering processes in our online shop to enable them to select and order their chosen products and services, as well as to facilitate payment and delivery or execution thereof.

The data processed includes inventory data, communication data, contract data, and payment data; the persons affected by this processing include our customers, prospective customers, and other business partners. The processing is carried out for the purpose of providing contractual services within the context of operating an online shop, including billing, delivery, and customer service. In this context, we use session cookies to store the contents of the shopping cart and persistent cookies to store the login status.

Processing is carried out for the fulfillment of our services and the implementation of contractual measures (e.g., executing ordering processes), and insofar as it is legally required (e.g., legally mandated archiving of business transactions for commercial and tax purposes). In this regard, the information designated as mandatory is required for the establishment and fulfillment of the contract. We disclose data to third parties only within the scope of delivery or payment processing, or within the framework of legal permissions and obligations, as well as when such disclosure is based on our legitimate interests—regarding which we inform you within this Privacy Policy (e.g., to legal and tax advisors, financial institutions, shipping companies, and government authorities).

Users may optionally create a user account, through which they can, in particular, view their orders. During the registration process, users are informed of the mandatory information required. User accounts are not public and cannot be indexed by search engines. If users terminate their user account, their data associated with that account will be deleted, subject to any retention requirements for commercial or tax law reasons. Information contained in the customer account remains stored until the account is deleted, followed by subsequent archiving in cases where a legal obligation or our legitimate interests (e.g., in the event of legal disputes) require it. It is the responsibility of users to back up their data following termination of the contract and prior to its expiration.

In the context of registration, subsequent logins, and the use of our online services, we store the IP address and the timestamp of the respective user action. This data is stored based on our legitimate interests—as well as those of the users—in protection against misuse and other unauthorized use. As a general rule, this data is not disclosed to third parties, unless such disclosure is necessary to assert our legal claims (constituting a legitimate interest) or a statutory obligation to do so exists.

Data is deleted upon the expiration of statutory warranty periods and other contractual rights or obligations (e.g., payment claims or performance obligations arising from contracts with customers); the necessity of retaining the data is reviewed every three years. In cases where data is retained due to statutory archiving obligations, deletion takes place once those obligations have expired.

External Payment Service Providers

We utilize external payment service providers whose platforms enable both our users and us to conduct payment transactions. These payment service providers may include—each with a link to their respective privacy policy: PayPal (https://www.paypal.com/de/webapps/mpp/ua/privacy-full), Klarna (https://www.klarna.com/de/datenschutz/), Skrill (https://www.skrill.com/de/fusszeile/datenschutzrichtlinie/), Giropay (https://www.giropay.de/rechtliches/datenschutz-agb/), Visa (https://www.visa.de/datenschutz), Mastercard (https://www.mastercard.de/de-de/datenschutz.html), American Express (https://www.americanexpress.com/de/content/privacy-policy-statement.html), and Stripe (https://stripe.com/de/privacy).

In the context of fulfilling contractual obligations, we utilize these payment service providers pursuant to Art. 6 Para. 1 lit. b of the GDPR. Furthermore, we utilize external payment service providers based on our legitimate interests pursuant to Art. 6 Para. 1 lit. f of the GDPR, in order to offer our users effective and secure payment options.

The data processed by these payment service providers includes inventory data—such as names and addresses—as well as banking data—such as account numbers or credit card numbers—passwords, TANs, and checksums, along with contract-specific, aggregate, and recipient-related details. This information is required to execute the transactions. However, the data entered by the user is processed and stored solely by the payment service providers themselves. This means that we do not receive any account- or credit card-specific information; instead, we receive only information confirming the payment or indicating a payment failure. Under certain circumstances, the payment service providers may transmit this data to credit reporting agencies. The purpose of this transmission is to verify identity and creditworthiness. In this regard, we refer to the General Terms and Conditions and Privacy Notices of the payment service providers.

Payment transactions are governed by the terms and conditions and privacy notices of the respective payment service providers, which are accessible on their respective websites or within their transaction applications. We also refer to these documents for further information, as well as for the exercise of rights of withdrawal, rights of access, and other data subject rights.

Administration, Financial Accounting, Office Organization, Contact Management

We process data in the context of administrative tasks, the organization of our business operations, financial accounting, and compliance with legal obligations—such as data archiving requirements. In doing so, we process the same data that we process in the course of providing our contractual services. The legal bases for this processing are Art. 6 Para. 1 lit. c GDPR and Art. 6 Para. 1 lit. f GDPR. The processing affects customers, prospective customers, business partners, and website visitors. The purpose of—and our legitimate interest in—this processing lies in administration, financial accounting, office organization, and data archiving; these are tasks that serve to maintain our business operations, fulfill our duties, and provide our services. The retention and deletion of data regarding contractual services and contractual communications are governed by the specifications set forth in the sections describing those specific processing activities.

In this context, we disclose or transmit data to tax authorities, professional advisors (such as tax consultants or auditors), as well as other fee-collecting bodies and payment service providers.

Furthermore, based on our legitimate business interests, we store information regarding suppliers, event organizers, and other business partners—for instance, for the purpose of establishing future contact. We generally retain this data—which is predominantly business-related—on a permanent basis.

Registration

Users may create a user account. During the registration process, users are informed of the mandatory information required; this information is processed pursuant to Art. 6 Para. 1 lit. b GDPR for the purpose of providing the user account. The data processed includes, in particular, login credentials (name, password, and an email address). The data entered during registration is used for the purpose of enabling the use of the user account and fulfilling its intended function.

Users may be notified via email regarding information relevant to their user account—such as technical changes. If users terminate their user account, the data associated with that account will be deleted, subject to any statutory retention obligations. It is the users’ responsibility to back up their data prior to the end of the contract term in the event of termination. We reserve the right to permanently delete all user data stored during the contract term.

In connection with the use of our registration and login functions, as well as the use of the user account itself, we store the IP address and the timestamp of each user action. This data is stored based on our legitimate interests—as well as those of the users—in preventing misuse and other unauthorized activity. As a general rule, this data is not disclosed to third parties unless such disclosure is necessary to assert our legal claims or a statutory obligation to do so exists pursuant to Art. 6 Para. 1 lit. c GDPR. IP addresses are anonymized or deleted no later than 7 days after collection.

Comments and Posts

When users leave comments or other contributions, their IP addresses may be stored for 7 days based on our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. This is done for our own security, in the event that someone leaves unlawful content in comments or contributions (e.g., insults, prohibited political propaganda, etc.). In such cases, we ourselves could be held liable for the comment or contribution and are therefore interested in the identity of the author.

Furthermore, we reserve the right—based on our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR—to process user data for the purpose of spam detection.

On the same legal basis, we reserve the right—in the case of surveys—to store users’ IP addresses for the duration of the survey and to use cookies to prevent multiple voting.

Personal information provided within the context of comments and contributions—including any contact or website details, as well as the content itself—is stored by us permanently until the user objects.

Comment Subscriptions

Users may subscribe to follow-up comments with their consent, in accordance with Art. 6 Para. 1 lit. a of the GDPR. Users will receive a confirmation email to verify that they are the owner of the email address provided. Users may cancel active comment subscriptions at any time. The confirmation email will contain instructions regarding how to withdraw consent. For the purpose of proving user consent, we store the time of registration along with the user’s IP address; we delete this information once the user unsubscribes from the service.

You may cancel your subscription—i.e., withdraw your consent—at any time. We may retain the unsubscribed email addresses for up to three years—based on our legitimate interests—before deleting them, in order to provide proof of consent previously granted. The processing of this data is limited to the purpose of potentially defending against legal claims. An individual request for deletion may be submitted at any time, provided that the prior existence of consent is simultaneously confirmed.

Akismet Anti-Spam Check

Our online service utilizes “Akismet,” a service provided by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA. Our use of this service is based on our legitimate interests pursuant to Art. 6 Para. 1 lit. f) of the GDPR. This service helps distinguish comments submitted by real people from spam comments. To achieve this, all comment-related data is transmitted to a server in the USA, where it is analyzed and stored for comparison purposes for a period of four days. If a comment is classified as spam, the associated data is retained beyond this initial period. This data includes the name entered, the email address, the IP address, the content of the comment, the referrer URL, information regarding the browser and computer system used, and the time of submission.

Further information regarding the collection and use of data by Akismet can be found in Automattic’s Privacy Policy: https://automattic.com/privacy/.

Users are welcome to use pseudonyms or to refrain from entering a name or email address. You can completely prevent the transmission of your data by choosing not to use our comment system. While this would be unfortunate, we are unfortunately unable to identify any alternative solutions that function with the same level of effectiveness.

Retrieving Profile Pictures from Gravatar

Within our online offering—and specifically within our blog—we utilize the Gravatar service provided by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA.

Gravatar is a service that allows users to register and store profile pictures and their email addresses. When users leave posts or comments on other online platforms (particularly in blogs) using that same email address, their profile pictures can be displayed alongside their posts or comments. To facilitate this, the email address provided by the user is transmitted to Gravatar in an encrypted format for the sole purpose of verifying whether a profile is associated with that address. This constitutes the only purpose for transmitting the email address; it is not used for any other purposes and is deleted thereafter.

Our use of Gravatar is based on our legitimate interests pursuant to Art. 6 Para. 1 lit. f) of the GDPR, as Gravatar enables us to offer authors of posts and comments the opportunity to personalize their contributions with a profile picture.

By displaying these images, Gravatar obtains the users’ IP addresses, as this is a technical necessity for communication between a web browser and an online service. Further information regarding the collection and use of data by Gravatar can be found in Automattic’s Privacy Policy: https://automattic.com/privacy/.

If users do not wish for a profile picture linked to their email address via Gravatar to appear in the comments section, they should use an email address that is not registered with Gravatar when posting comments. We further note that it is also possible to use an anonymous email address—or no email address at all—should users prefer not to have their personal email address transmitted to Gravatar. Users can completely prevent the transmission of their data by refraining from using our comment system.

Retrieving Emojis and Smilies

Within our WordPress blog, graphical emojis (or “smileys”—small graphic files used to express emotions) are utilized; these are retrieved from external servers. In this process, the providers of these servers collect the users’ IP addresses. This is necessary to enable the transmission of the emoji files to the users’ browsers. This emoji service is provided by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA. Automattic’s Privacy Policy can be found at: https://automattic.com/privacy/. The server domains used are s.w.org and twemoji.maxcdn.com; to the best of our knowledge, these function as so-called Content Delivery Networks—that is, servers dedicated solely to the rapid and secure transmission of files—and users’ personal data is deleted once the transmission is complete.

The use of these emojis is based on our legitimate interests—specifically, our interest in the attractive design of our online offering—pursuant to Art. 6 Para. 1 lit. f of the GDPR.

Contacting Us

When contacting us (e.g., via contact form, email, telephone, or social media), the user’s details are processed for the purpose of handling and fulfilling the contact request in accordance with Art. 6 Para. 1 lit. b GDPR (within the scope of contractual or pre-contractual relationships) and Art. 6 Para. 1 lit. f GDPR (for other inquiries). User details may be stored in a Customer Relationship Management system (“CRM system”) or a comparable inquiry management system.

We delete inquiries once they are no longer required. We review the necessity of retaining such data every two years; furthermore, statutory archiving obligations apply.

Newsletter

In the following sections, we provide you with information regarding the content of our newsletter, the registration, distribution, and statistical analysis procedures, as well as your rights to object. By subscribing to our newsletter, you agree to its receipt and to the procedures described herein.

Newsletter Content: We send newsletters, emails, and other electronic notifications containing promotional information (hereinafter referred to as “Newsletters”) only with the consent of the recipients or where legally permitted. If the specific content of the newsletter is explicitly defined during the registration process, this description serves as the definitive basis for the user’s consent. Otherwise, our newsletters contain information regarding our services and our organization.

Double Opt-In and Logging: Registration for our newsletter is carried out using a so-called “double opt-in” procedure. This means that, after registering, you will receive an email requesting that you confirm your subscription. This confirmation is necessary to prevent unauthorized persons from subscribing using third-party email addresses. Registrations for the newsletter are logged in order to document the registration process in accordance with legal requirements. This includes recording the time of registration and confirmation, as well as the IP address used. Changes to your data stored by our email service provider are also logged.

Registration Data: To subscribe to the newsletter, it is sufficient to provide your email address. Optionally, we request that you provide a name to enable us to address you personally within the newsletter.

The distribution of the newsletter and the associated performance measurement are carried out on the basis of the recipients’ consent pursuant to Art. 6 Para. 1 lit. a and Art. 7 of the GDPR, in conjunction with § 7 Para. 2 No. 3 of the UWG (German Act Against Unfair Competition); or—where consent is not required—on the basis of our legitimate interests in direct marketing pursuant to Art. 6 Para. 1 lit. f of the GDPR, in conjunction with § 7 Para. 3 of the UWG. The logging of the registration process is carried out on the basis of our legitimate interests pursuant to Art. 6 Para. 1 lit. f GDPR. Our interest lies in the use of a user-friendly and secure newsletter system that serves both our business interests and the expectations of our users, and furthermore allows us to provide proof of consent.

Cancellation/Withdrawal – You may cancel your subscription to our newsletter at any time—i.e., withdraw your consent. You will find a link to cancel the newsletter at the end of every newsletter issue. We may store the unsubscribed email addresses for up to three years—based on our legitimate interests—before deleting them, in order to be able to provide proof of a previously given consent. The processing of this data is limited to the purpose of potentially defending against legal claims. An individual request for deletion may be submitted at any time, provided that the prior existence of consent is simultaneously confirmed.

Newsletter – Mailchimp

The newsletters are sent using the mailing service provider “MailChimp,” a newsletter distribution platform provided by the US-based vendor Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. You can view the privacy policy of the mailing service provider here: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Framework, thereby providing a guarantee that it adheres to European data protection standards (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active). The mailing service provider is engaged based on our legitimate interests pursuant to Art. 6 Para. 1 lit. f GDPR and a data processing agreement pursuant to Art. 28 Para. 3 S. 1 GDPR.

The mailing service provider may use the recipients’ data in a pseudonymized form—i.e., without attributing it to a specific user—to optimize or improve its own services; for example, for the technical optimization of the delivery and display of the newsletters, or for statistical purposes. However, the mailing service provider does not use the data of our newsletter recipients to contact them directly or to share the data with third parties.

Newsletter – Success Measurement

The newsletters contain a so-called “web beacon”—a pixel-sized file that is retrieved from our server (or, if we utilize a third-party service provider, from their server) when the newsletter is opened. As part of this retrieval process, technical information—such as details regarding your browser and operating system—as well as your IP address and the time of access are initially collected.

This information is used to technically improve our services based on technical data, and to better understand our target audiences and their reading behavior based on their locations (which can be determined via IP address) and access times. These statistical analyses also include determining whether and when newsletters are opened, and which links are clicked. For technical reasons, this information can be linked to individual newsletter recipients; however, it is neither our intention—nor, where applicable, that of our service provider—to monitor individual users. Rather, these analyses serve to help us identify our users’ reading habits, tailor our content to their needs, and distribute different content based on our users’ specific interests.

Unfortunately, it is not possible to separately opt out of this performance tracking; in this case, the entire newsletter subscription must be cancelled.

Hosting and Email Delivery

The hosting services we utilize serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email delivery, security services, as well as technical maintenance services, which we employ for the purpose of operating this online offering.

In this context, we—or our hosting provider—process inventory data, contact data, content data, contract data, usage data, and meta and communication data of customers, prospective customers, and visitors to this online offering. This processing is carried out on the basis of our legitimate interests in the efficient and secure provision of this online offering, pursuant to Art. 6 Para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of a Data Processing Agreement).

Collection of Access Data and Log Files

We—or rather, our hosting provider—collect data regarding every access to the server hosting this service (so-called server log files) on the basis of our legitimate interests pursuant to Art. 6 Para. 1 lit. f of the GDPR. The access data includes the name of the accessed website, the file, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user’s operating system, the Referrer URL (the previously visited page), the IP address, and the requesting provider.

Log file information is stored for a maximum period of 7 days for security reasons (e.g., to investigate instances of abuse or fraud) and is subsequently deleted. Data requiring longer retention for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.

Jetpack (WordPress Stats)

We utilize the Jetpack plugin (specifically the “WordPress Stats” feature), which integrates a tool for the statistical analysis of visitor access; this plugin is provided by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA. Jetpack uses so-called “cookies”—text files that are stored on your computer and enable an analysis of your use of the website.

The information generated by the cookie regarding your use of this online service is stored on a server in the USA. In the course of this process, user profiles may be created from the processed data; however, these profiles are used solely for analytical purposes and not for advertising purposes. Further information can be found in Automattic’s Privacy Policy: https://automattic.com/privacy/ and in the information regarding Jetpack cookies: https://jetpack.com/support/cookies/.

Insofar as we request user consent (e.g., within the context of a cookie consent banner), the legal basis for this processing is Art. 6 Para. 1 lit. a of the GDPR. Otherwise, users’ personal data is processed on the basis of our legitimate interests (i.e., our interest in the analysis, optimization, and economic operation of our online service within the meaning of Art. 6 Para. 1 lit. f of the GDPR).

Facebook-Pixel, Custom Audiences and Facebook-Conversion

Within our online offering, we utilize the so-called “Facebook Pixel” provided by the social network Facebook, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).

The Facebook Pixel enables Facebook, on the one hand, to identify visitors to our online offering as a target audience for the display of advertisements (so-called “Facebook Ads”). Accordingly, we use the Facebook Pixel to ensure that the Facebook Ads we place are displayed only to those Facebook users who have demonstrated an interest in our online offering, or who possess specific characteristics (e.g., interests in certain topics or products, determined based on the websites visited) that we transmit to Facebook (so-called “Custom Audiences”). Through the use of the Facebook Pixel, we also aim to ensure that our Facebook Ads align with the potential interests of users and do not appear intrusive. Furthermore, the Facebook Pixel allows us to track the effectiveness of Facebook advertisements for statistical and market research purposes by observing whether users were redirected to our website after clicking on a Facebook advertisement (so-called “Conversion”).

Data processing by Facebook is carried out in accordance with Facebook’s Data Policy. Accordingly, general information regarding the display of Facebook Ads can be found in Facebook’s Data Policy: https://www.facebook.com/policy. Specific information and details regarding the Facebook Pixel and its functionality are available in Facebook’s Help Center: https://www.facebook.com/business/help/651294705016616.

In instances where we request user consent (e.g., within the context of a cookie consent mechanism), the legal basis for this processing is Art. 6 Para. 1 lit. a of the GDPR. Otherwise, users’ personal data is processed on the basis of our legitimate interests (i.e., our interest in the analysis, optimization, and economic operation of our online offering within the meaning of Art. 6 Para. 1 lit. f of the GDPR).

Facebook is certified under the Privacy Shield Framework and thereby guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

You may object to the collection of data via the Facebook Pixel and to the use of your data for the display of Facebook Ads. To configure which types of advertisements are displayed to you within Facebook, you can visit the page set up by Facebook and follow the instructions regarding settings for interest-based advertising: https://www.facebook.com/settings?tab=ads. These settings are platform-independent; that is, they apply to all devices, such as desktop computers or mobile devices.

Furthermore, you may object to the use of cookies for audience measurement and advertising purposes via the opt-out page of the Network Advertising Initiative (http://optout.networkadvertising.org/), as well as via the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

Social Media Presences

We maintain online presences within social networks and platforms in order to communicate with customers, prospective customers, and users active there, and to inform them about our services.

We wish to point out that, in this context, user data may be processed outside the European Union. This may give rise to risks for users—for instance, because the enforcement of users’ rights could be rendered more difficult. With regard to US providers certified under the Privacy Shield, we note that they thereby commit to complying with EU data protection standards.

Furthermore, user data is typically processed for market research and advertising purposes. For example, usage profiles may be created based on users’ usage behavior and the resulting interests. These usage profiles may, in turn, be used to display advertisements—both within and outside the platforms—that are presumed to align with the users’ interests. For these purposes, cookies are typically stored on users’ computers; these cookies record the users’ usage behavior and interests. Additionally, data may be stored within these usage profiles independently of the specific devices used by the users (particularly if the users are members of the respective platforms and are logged into them).

The processing of users’ personal data is carried out on the basis of our legitimate interests in effectively informing and communicating with users, pursuant to Art. 6 Para. 1 lit. f of the GDPR. Should users be asked by the respective platform providers to consent to the data processing described above, the legal basis for such processing is Art. 6 Para. 1 lit. a and Art. 7 of the GDPR.

For a detailed overview of the specific processing activities and the available options to object (opt-out), we refer you to the information provided by the respective providers, linked below. In the event of requests for information or the exercise of user rights, we wish to point out that such requests are most effectively addressed directly to the respective providers. Only the providers have access to user data and are able to take appropriate measures or provide information directly. Should you nevertheless require assistance, you may contact us.

  • Facebook, Facebook Pages, Facebook Groups (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) – based on an agreement regarding the joint processing of personal data – Privacy Policy: https://www.facebook.com/about/privacy/, specifically for Pages: https://www.facebook.com/legal/terms/information_about_page_insights_data, Opt-Out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
  • Google/ YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – Privacy Policy: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
  • Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – Privacy Policy/ Opt-Out: http://instagram.com/about/legal/privacy/. – Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) – Privacy Policy:
  • https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.
  • Pinterest (Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA) – Privacy Policy/ Opt-Out: https://about.pinterest.com/de/privacy-policy.
  • LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) – Privacy Policy: https://www.linkedin.com/legal/privacy-policy, Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active.
  • Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany) – Privacy Policy/ Opt-Out: https://privacy.xing.com/de/datenschutzerklaerung.
  • Wakelet (Wakelet Limited, 76 Quay Street, Manchester, M3 4PR, United Kingdom) – Privacy Policy/ Opt-Out: https://wakelet.com/privacy.html
  • SoundCloud (SoundCloud Limited, Rheinsberger Str. 76/77, 10115 Berlin, Germany) – Privacy Policy/ Opt-Out: https://soundcloud.com/pages/privacy.

Integration of Third-Party Services and Content

Within our online offering, and based on our legitimate interests (i.e., our interest in the analysis, optimization, and economic operation of our online offering within the meaning of Art. 6 Para. 1 lit. f of the GDPR), we utilize content or service offerings from third-party providers in order to integrate their content and services—such as videos or fonts (hereinafter uniformly referred to as “Content”).

This always presupposes that the third-party providers of this Content are able to perceive the users’ IP addresses, as they would be unable to send the Content to the users’ browsers without the IP addresses. The IP address is therefore required for the display of this Content. We endeavor to use only such Content where the respective providers use the IP address solely for the delivery of the Content. Furthermore, third-party providers may use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. Through the use of “pixel tags,” information such as visitor traffic on the pages of this website can be analyzed. This pseudonymous information may also be stored in cookies on the users’ devices and may contain—among other things—technical information regarding the browser and operating system, referring websites, time of visit, and other details regarding the use of our online offering; it may also be combined with such information from other sources.

Vimeo

We may embed videos from the “Vimeo” platform, provided by Vimeo Inc., Attention: Legal Department, 555 West 18th Street, New York, New York 10011, USA. Privacy Policy: https://vimeo.com/privacy. We wish to point out that Vimeo may utilize Google Analytics; in this regard, we refer to the Google Analytics Privacy Policy (https://policies.google.com/privacy), the opt-out options for Google Analytics (http://tools.google.com/dlpage/gaoptout?hl=de), or Google’s settings for data usage for marketing purposes (https://adssettings.google.com/).

Youtube

We embed videos from the “YouTube” platform, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy Policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.

Google Fonts

We integrate fonts (“Google Fonts”) provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. According to Google, user data is used solely for the purpose of displaying the fonts in the users’ browsers. This integration is based on our legitimate interests in the technically secure, maintenance-free, and efficient use of fonts, their uniform display, and compliance with potential licensing restrictions regarding their integration. Privacy Policy: https://www.google.com/policies/privacy/.

Google ReCaptcha

We integrate a function for bot detection—e.g., for inputs in online forms (“ReCaptcha”)—provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy Policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.

Google Maps

We integrate maps from the “Google Maps” service, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The data processed may include, in particular, users’ IP addresses and location data; however, this data is not collected without the user’s consent (typically granted via the settings on their mobile devices). The data may be processed in the USA. Privacy Policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.

Instagram

Within our online offering, functions and content from the service Instagram—provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA—may be embedded. This may include, for example, content such as images, videos, or text, as well as buttons that allow users to share content from this online offering within Instagram. If users are members of the Instagram platform, Instagram may associate the access to the aforementioned content and functions with the users’ profiles on that platform. Instagram Privacy Policy: http://instagram.com/about/legal/privacy/.