Preamble

With the following Privacy Policy, we wish to inform you about the types of personal data (hereinafter also referred to briefly as “Data”) that we process, for what purposes, and to what extent. This Privacy Policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences—such as our social media profiles (hereinafter collectively referred to as our “Online Offering”).

The terms used are not gender-specific.

Table of contents

• Preamble
• Responsible party
• Processing overview
• Applicable legal bases
• Security measures
• Deletion of data
• Rights of data subjects
• Use of cookies
• Business services
• Bereitstellung des Onlineangebotes und Webhosting
• Provision of the online offering and web hosting
• Presences in social networks (social media)
• Plugins, embedded functions, and content
• Modification and update of the privacy policy
• Definitions of terms

Responsible party

monalaura
Stresemannstr. 374b
2ter Stock
22761 Hamburg
Deutschland

Persons authorized to represent:

Simone Tesch & Laura Borkowski

E-Mail-Adresse:

info[at]monalaura.de

Legal notice:

https://monalaura/impressum/

Applicable legal bases

Relevant Legal Bases under the GDPR: The following provides an overview of the legal bases under the GDPR upon which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations applicable in your or our country of residence or establishment may also apply. Furthermore, should more specific legal bases be applicable in individual cases, we will inform you of these in the Privacy Policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given their consent to the processing of personal data concerning them for one or more specific purposes.
• Contractual Performance and Pre-contractual Inquiries (Art. 6 Para. 1 Sentence 1 lit. b) GDPR) – The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal Obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) – The processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate Interests (Art. 6 para. 1 lit. f) GDPR) – The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests or the fundamental rights and freedoms of the data subject which require protection of personal data override such interests.

National Data Protection Regulations in Germany: In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains, specifically, special provisions regarding the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and data transmission, as well as automated decision-making in individual cases, including profiling. Furthermore, the data protection laws of the individual federal states may also apply.

Note regarding the applicability of the GDPR and the Swiss DPA: These Privacy Notices serve to provide information in accordance with both the Swiss Federal Act on Data Protection (Swiss DPA) and the General Data Protection Regulation (GDPR). For this reason, we ask you to note that, due to their broader territorial scope and clarity, the terminology of the GDPR is used herein. Specifically, instead of the terms used in the Swiss DPA—namely “processing” of “personal data,” “overriding interest,” and “particularly sensitive personal data”—we employ the corresponding terms used in the GDPR: “processing” of “personal data,” “legitimate interest,” and “special categories of data.” However, within the scope of the Swiss DPA’s applicability, the legal meaning of these terms continues to be determined in accordance with the Swiss DPA.

Processing overview

The following overview summarizes the types of data processed and the purposes of their processing, and identifies the data subjects concerned.

Types of data processed

• Inventory data
• Payment details
• Contact details
• Content data
• Contract data
• Usage Data.
• Metadata, communication data, and process data.
• Event data (Facebook).

Special categories of data

• Health data.

Categories of data subjects

• Customers.
• Interessenten.
• Interested parties.
• Users.
• Business and contractual partners
• School students / university students / participants.

Purposes of processing

• Provision of contractual services and fulfillment of contractual obligations.
• Contact inquiries and communication.
• Security measures.
• Office and organizational procedures
• Management and handling of inquiries.
• Feedback.
• Marketing.
• Profiles containing user-specific information.
• Provision of our online offering and user-friendliness.
• Information technology infrastructure

Security measures

In accordance with statutory requirements—and taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihoods and severity of the risks to the rights and freedoms of natural persons—we implement appropriate technical and organizational measures to ensure a level of security commensurate with the risk.

These measures specifically include ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as controlling access, input, transmission, availability, and segregation related to it. Furthermore, we have established procedures to ensure the exercise of data subjects’ rights, the deletion of data, and appropriate responses to data security incidents. Moreover, we incorporate the protection of personal data into the development and selection of hardware, software, and procedures—in accordance with the principles of data protection by design and by default—through technical design and privacy-friendly default settings.

TLS Encryption (https): To protect the data you transmit via our online service, we use TLS encryption. You can recognize such encrypted connections by the https:// prefix in your browser’s address bar.

Deletion of data

The data we process is deleted in accordance with statutory requirements as soon as the consents permitting its processing are revoked or other legal grounds for processing cease to apply (e.g., when the purpose for processing such data has lapsed or the data is no longer required for that purpose). Insofar as data is not deleted because it remains necessary for other, legally permissible purposes, its processing is restricted to those specific purposes. This means that the data is blocked and not processed for any other purposes. This applies, for example, to data that must be retained for commercial or tax-related reasons, or whose retention is necessary for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person. Furthermore, our privacy notices may contain additional information regarding the retention and deletion of data, which takes precedence for the respective processing activities.

Rights of data subjects

Rights of Data Subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, specifically those set forth in Articles 15 to 21 of the GDPR:

• Right to Object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
• Right to Withdraw Consent: You have the right to withdraw granted consents at any time.
• Right of Access: You have the right to request confirmation as to whether personal data concerning you is being processed, as well as access to such data, further information, and a copy of the data, in accordance with statutory requirements.
• Right to Rectification: In accordance with statutory requirements, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.
• Right to Erasure and Restriction of Processing: In accordance with statutory provisions, you have the right to request that data concerning you be erased without undue delay, or, alternatively—and in accordance with statutory provisions—to request a restriction of the processing of such data.
• Right to Data Portability: You have the right to receive data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, in accordance with statutory requirements, or to request its transmission to another controller.
• Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority—in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement—if you consider that the processing of personal data relating to you infringes the provisions of the GDPR.

Use of cookies

Cookies are small text files—or other similar storage markers—that store information on end devices and retrieve information from them. For example, they are used to store the login status of a user account, the contents of a shopping cart in an online shop, or the specific content accessed and features used within an online service. Furthermore, cookies may be employed for various purposes—such as ensuring the functionality, security, and user-friendliness of online services, as well as for analyzing visitor traffic.

Consent Information: We use cookies in compliance with statutory regulations. Therefore, we obtain prior consent from users, except in cases where such consent is not legally required. In particular, consent is not necessary when the storage and retrieval of information—including cookies—are strictly necessary to provide users with a telemedia service (i.e., our online offering) that they have expressly requested. Strictly necessary cookies generally include those with functions that serve the display and operational integrity of the online offering, load balancing, security, the storage of user preferences and choices, or similar purposes related to the provision of the primary and secondary functions of the online offering requested by the users. This revocable consent is clearly communicated to users and includes information regarding the specific use of cookies.

Notes on Legal Bases for Data Protection: The specific legal basis under data protection law upon which we process users’ personal data using cookies depends on whether we request the users’ consent. If users provide their consent, the legal basis for processing their data is the consent given. Otherwise, data processed using cookies is processed on the basis of our legitimate interests (e.g., in the economic operation of our online offering and the improvement of its usability) or—where such processing occurs in the context of fulfilling our contractual obligations—on the basis that the use of cookies is necessary to fulfill said contractual obligations. We provide clarification regarding the specific purposes for which we process cookies throughout this Privacy Policy or within the scope of our consent and data processing procedures.

Storage Duration: With regard to storage duration, the following types of cookies are distinguished:

• Temporary Cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their device (e.g., browser or mobile application).
• Persistent Cookies: Persistent cookies remain stored even after the device is switched off. This allows, for example, the login status to be saved or preferred content to be displayed directly when a user revisits a website. Similarly, data collected from users with the aid of cookies may be used for audience measurement purposes. Unless we provide users with explicit information regarding the type and retention period of cookies (e.g., in the context of obtaining consent), users should assume that cookies are persistent and that the retention period may extend up to two years.

General Information on Revocation and Objection (so-called “Opt-Out”): Users may revoke their given consents at any time and object to data processing in accordance with statutory requirements. To do so, users may—among other measures—restrict the use of cookies within their browser settings (though this may also limit the functionality of our online service). An objection to the use of cookies for online marketing purposes can also be submitted via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/

• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing processes, procedures, and services:

• Processing of Cookie Data Based on Consent: We employ a cookie consent management procedure through which users’ consent to the use of cookies—or to the specific processing activities and providers identified within the scope of this procedure—is obtained, as well as managed and revoked by the users. In this context, the declaration of consent is stored so that the request for consent does not need to be repeated and so that the consent can be substantiated in accordance with legal obligations. This storage may take place server-side and/or within a cookie (a so-called “opt-in cookie,” or by means of comparable technologies) in order to associate the consent with a specific user or their device. Subject to specific details regarding the providers of cookie management services, the following information applies: The consent may be stored for a period of up to two years. During this process, a pseudonymous user identifier is generated and stored alongside the timestamp of the consent, details regarding the scope of the consent (e.g., which categories of cookies and/or service providers are included), and information concerning the browser, system, and device used; Legal Basis: Consent (Art. 6 para. 1 lit. a) GDPR).
• BorlabsCookie: Cookie Consent Management; Service Provider: Hosted locally on our server; no data is shared with third parties; Website: https://de.borlabs.io/borlabs-cookie/. Further Information: A unique user ID, language settings, the types of consents granted, and the timestamp of their submission are stored both server-side and within a cookie on the user’s device.

Geschäftliche Leistungen

We process data of our contractual and business partners—e.g., customers and prospective customers (collectively referred to as “Contractual Partners”)—within the scope of contractual and comparable legal relationships, as well as associated measures, and in the context of communication with the Contractual Partners (or in the pre-contractual phase)—for instance, to respond to inquiries.

We process this data in order to fulfill our contractual obligations. This includes, in particular, obligations regarding the provision of agreed-upon services, any duties to provide updates, and the rectification of issues arising from warranties or other service-related disruptions. Furthermore, we process the data to safeguard our rights and for the purpose of administrative tasks associated with these obligations, as well as for the organization of our business operations. Additionally, we process the data based on our legitimate interests in proper and efficient business management, as well as in implementing security measures designed to protect our contractual partners and our business operations against misuse and against threats to their data, trade secrets, information, and rights (e.g., by engaging telecommunications, transport, and other auxiliary services, as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). In accordance with applicable law, we disclose the data of contractual partners to third parties only to the extent necessary for the aforementioned purposes or to fulfill statutory obligations. Contractual partners are informed of any further forms of data processing—e.g., for marketing purposes—within the scope of this Privacy Policy.

We inform contractual partners—either prior to or during the data collection process (e.g., in online forms)—which data are required for the aforementioned purposes, doing so through specific markings (e.g., colors), symbols (e.g., asterisks or similar), or in person.

We delete data upon the expiration of statutory warranty obligations and comparable duties—that is, generally after a period of four years—unless the data is stored within a customer account, or, for instance, for as long as it must be retained for statutory archiving purposes. The statutory retention period is ten years for tax-relevant documents, as well as for commercial books, inventories, opening balance sheets, annual financial statements, the work instructions and other organizational documents necessary to understand these records, and accounting vouchers; the period is six years for received commercial and business letters, as well as for copies of sent commercial and business letters. This period commences at the end of the calendar year in which the last entry was made in a book; the inventory, opening balance sheet, annual financial statement, or management report was prepared; a commercial or business letter was received or sent; an accounting voucher was created; a record was made; or other documents were generated.

Insofar as we utilize third-party providers or platforms to provide our services, the terms and conditions and privacy policies of the respective third-party providers or platforms shall apply to the relationship between the users and the providers.

• Types of data processed: Inventory data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., email, phone numbers); contract data (e.g., subject matter of contract, term, customer category).
• Special categories of personal data: Health data.
• Affected Persons: Prospective customers; business and contractual partners; pupils/students/participants; customers.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; contact inquiries and communication; office and organizational procedures. Management and response to inquiries.
• Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:

• Educational and Training Services: We process the data of participants in our educational and training programs (collectively referred to as “Trainees”) in order to provide our training services to them. The data processed in this context—as well as the nature, scope, purpose, and necessity of its processing—are determined by the underlying contractual and training relationship. Processing activities also include performance assessment and the evaluation of our services, as well as those of the instructors. In the course of our operations, we may also process special categories of data—specifically, information regarding the health of Trainees, as well as data revealing their ethnic origin, political opinions, or religious or philosophical beliefs. To this end, we obtain the explicit consent of the Trainees where necessary; otherwise, we process such special categories of data only when required for the provision of training services, for purposes of preventive health care or social protection, or to protect the vital interests of the Trainees. Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 lit. b) GDPR).
• Artistic and Literary Services: We process our clients’ data to facilitate the selection, acquisition, or commissioning of their chosen services or works—as well as associated activities—and to enable their payment, delivery, execution, or provision. The required information is explicitly designated as such during the process of placing an order, making a purchase, or concluding a comparable contract; this includes the details necessary for delivery and billing, as well as contact information to facilitate any necessary follow-up communication.
  Legal Basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 lit. b) GDPR).
• Therapeutic Services: We process the data of our clients, as well as prospective clients and other principals or contractual partners (collectively referred to as “Clients”), in order to provide our services to them. The specific data processed—as well as the nature, scope, purpose, and necessity of such processing—are determined by the underlying contractual and client relationship. In the course of our activities, we may also process special categories of data—specifically, information regarding the Clients’ health (potentially including details related to their sexual life or sexual orientation), as well as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. To this end, we obtain the explicit consent of the Clients where required; otherwise, we process such special categories of data only insofar as doing so serves the Clients’ health interests, the data in question has been made public by the Clients, or other statutory authorizations exist. Insofar as it is necessary for the fulfillment of our contractual obligations, for the protection of vital interests, or as required by law—or where the Clients have provided their consent—we may disclose or transmit Client data to third parties or appointed service providers (such as public authorities, medical facilities, laboratories, billing centers, or providers of IT, administrative, or similar services), while strictly adhering to applicable professional regulations.
  Legal bases: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
• Events and Activities: We process the data of participants in events, activities, and similar undertakings offered or hosted by us (hereinafter collectively referred to as “Participants” and “Events”) in order to enable them to participate in said events and to utilize the services or promotions associated with such participation. Insofar as we process health-related data, religious or political beliefs, or other special categories of data within this context, such processing is carried out on the basis of manifest disclosure (e.g., in the case of thematically focused events), serves the purpose of health precaution or safety, or is conducted with the consent of the data subjects concerned. The information required for this purpose is explicitly designated as such during the order, booking, or comparable contractual process; it comprises the details necessary for service provision and billing, as well as contact information to facilitate any necessary follow-up communication. To the extent that we gain access to information pertaining to end customers, employees, or other individuals, we process such information in compliance with applicable statutory and contractual requirements.
  Legal bases: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Provision of the Online Offering and Web Hosting

We process user data in order to provide our online services to them. To this end, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

• Types of data processed: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status); Content data (e.g., entries in online forms).
• Affected persons: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures.
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:

• Provision of the Online Offering on Rented Storage Space: To provide our online offering, we utilize storage space, computing capacity, and software that we rent or otherwise procure from a corresponding server provider (also referred to as a “web host”); Legal Basis: Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).
• Collection of Access Data and Log Files: Access to our online offering is logged in the form of so-called “server log files.” These server log files may include the address and name of the accessed web pages and files, the date and time of access, the volume of data transferred, a notification regarding successful access, the browser type and version, the user’s operating system, the Referrer URL (the previously visited page), and—as a general rule—IP addresses and the requesting provider. Server log files may be used, on the one hand, for security purposes—e.g., to prevent server overload (particularly in the event of malicious attacks, known as DDoS attacks)—and, on the other hand, to ensure server utilization and stability. Legal Basis: Legitimate Interests (Art. 6 Para. 1 lit. f) GDPR). Data Deletion: Log file information is stored for a maximum period of 30 days, after which it is deleted or anonymized. Data that must be retained for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.
• Email Transmission and Hosting: The web hosting services we utilize also encompass the sending, receiving, and storage of emails. For these purposes, the addresses of recipients and senders—as well as other information pertaining to email transmission (e.g., the providers involved)—and the contents of the respective emails are processed. Furthermore, the aforementioned data may be processed for the purposes of spam detection. Please note that, as a general rule, emails sent over the Internet are not encrypted. While emails are typically encrypted during transit, they are not encrypted on the servers from which they are sent and received (unless a so-called end-to-end encryption method is employed). We therefore cannot assume responsibility for the transmission path of emails between the sender and their receipt on our server; Legal Basis: Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).
• STRATO: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service Provider: STRATO AG, Pascalstraße 10, 10587 Berlin, Germany; Legal Basis: Legitimate interests (Art. 6 para. 1 lit. f) GDPR); Website: https://www.strato.de; Privacy Policy: https://www.strato.de/datenschutz. Data Processing Agreement: Provided by the Service Provider.

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, telephone, or via social media), as well as within the scope of existing user and business relationships, the information provided by the inquiring parties is processed to the extent necessary to respond to contact inquiries and to carry out any requested measures.

• Types of data processed: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Affected persons: Communication partners.
• Purposes of processing: Contact inquiries and communication; management and response to inquiries; feedback (e.g., collecting feedback via online forms). Provision of our online services and user-friendliness.
• Legal Basis: Legitimate interests (Art. 6 para. 1 lit. f) GDPR). Contractual performance and pre-contractual inquiries (Art. 6 para. 1 lit. b) GDPR).

Further information on processing processes, procedures, and services:

• Contact Form: If users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context in order to handle the submitted inquiry; Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 lit. f) GDPR).

Presences in social networks (social media)

We maintain online presences within social networks and, in this context, process user data in order to communicate with users active on those platforms or to provide information about ourselves.

We wish to point out that, in this process, user data may be processed outside the European Union. This may give rise to risks for users—for instance, because the enforcement of users’ rights could be rendered more difficult.

Furthermore, user data within social networks is typically processed for market research and advertising purposes. For instance, usage profiles can be created based on users’ usage behavior and the resulting interests. These usage profiles may, in turn, be used to display advertisements—both within and outside the networks—that are presumed to align with the users’ interests. For these purposes, cookies are typically stored on users’ computers to record their usage behavior and interests. Moreover, data may be stored within these usage profiles independently of the specific devices used by the users (particularly if the users are members of the respective platforms and are logged in).

For a detailed overview of the respective forms of processing and the available options to object (opt-out), we refer you to the privacy policies and information provided by the operators of the respective networks.

In the event of requests for information or the exercise of data subject rights, we wish to point out that these are most effectively pursued directly with the respective providers. Only the providers have access to user data and are able to take appropriate measures or provide information directly. Should you nevertheless require assistance, you are welcome to contact us.

• Types of data processed: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Affected persons: Users (e.g., website visitors, users of online services).
• Purposes of processing: Contact inquiries and communication; feedback (e.g., collecting feedback via online form). Marketing.
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:

• Instagram: Social network; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 lit. f) GDPR); Website: https://www.instagram.com. Privacy Policy: https://instagram.com/about/legal/privacy.
• Facebook Pages: Profiles within the social network Facebook – Together with Meta Platforms Ireland Limited, we are jointly responsible for the collection (though not the subsequent processing) of data from visitors to our Facebook Page (a so-called “Fanpage”). This data includes information regarding the types of content that users view or interact with, or the actions they take (see “Things you and others do and provide” in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see “Device Information” in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services—known as “Page Insights”—to Page operators, enabling them to gain insights into how people interact with their Pages and the content associated with them. We have entered into a specific agreement with Facebook (“Page Insights Information,” https://www.facebook.com/legal/terms/page_controller_addendum), which specifically stipulates the security measures that Facebook must observe and in which Facebook has agreed to fulfill data subject rights (i.e., users may, for example, direct requests for information or deletion directly to Facebook). Users’ rights (particularly the rights to access, deletion, objection, and lodging a complaint with the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “Information about Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate Interests (Art. 6 para. 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Further Information: Joint Controller Addendum: https://www.facebook.com/legal/terms/information_about_page_insights_data. The joint controllership is limited to the collection of data by, and the transmission of data to, Meta Platforms Ireland Limited, a company based in the EU. The subsequent processing of the data lies under the sole responsibility of Meta Platforms Ireland Limited, particularly regarding the transfer of data to its parent company, Meta Platforms, Inc., in the USA (based on the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
• YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 lit. f) GDPR); Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: EU-US Data Privacy Framework (DPF). Opt-out option: https://adssettings.google.com/authenticated.

Plugins, embedded functions, and content

We integrate functional and content elements into our online offering that are retrieved from the servers of their respective providers (hereinafter referred to as “Third-Party Providers”). These may include, for example, graphics, videos, or city maps (hereinafter collectively referred to as “Content”).

The integration of such content always presupposes that the third-party providers of this content process the users’ IP addresses, as they would be unable to transmit the content to the users’ browsers without them. The IP address is therefore required for the display of this content or these functions. We endeavor to use only such content where the respective providers utilize the IP address solely for the delivery of the content. Furthermore, third-party providers may use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. These “pixel tags” allow for the analysis of information such as visitor traffic on the pages of this website. This pseudonymous information may also be stored in cookies on the users’ devices; it may contain—among other things—technical details regarding the browser and operating system, referring websites, visit duration, and other data concerning the use of our online services, and may also be combined with information from other sources.

• Types of data processed: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status); Inventory data (e.g., names, addresses); Contact data (e.g., email addresses, phone numbers); Content data (e.g., entries in online forms); Event Data (Facebook) (“Event Data” refers to data that we may transmit to Facebook—e.g., via the Facebook Pixel, via apps, or through other means—and which relates to individuals or their actions; such data includes, for example, information regarding website visits, interactions with content or features, app installations, product purchases, etc.; Event Data is processed for the purpose of creating target audiences for content and advertising information (Custom Audiences). Event Data does not include actual content (such as comments posted), login information, or contact information (i.e., no names, email addresses, or phone numbers). Event Data is deleted by Facebook after a maximum of two years; the target audiences created from this data are deleted upon the deletion of our Facebook account.
• Affected persons: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness; profiles containing user-related information (creation of user profiles). Marketing.
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing processes, procedures, and services:

• Integration of Third-Party Software, Scripts, or Frameworks (e.g., jQuery): We integrate software into our online offering that we retrieve from the servers of other providers (e.g., function libraries that we use to facilitate the display or enhance the user-friendliness of our online offering). In this context, the respective providers collect the users’ IP addresses and may process them for the purposes of transmitting the software to the users’ browsers, as well as for security purposes and for the evaluation and optimization of their own services. — We integrate software into our online offering that we retrieve from the servers of other providers (e.g., function libraries that we use to facilitate the display or enhance the user-friendliness of our online offering). In this context, the respective providers collect the users’ IP addresses and may process them for the purposes of transmitting the software to the users’ browsers, as well as for security purposes and for the evaluation and optimization of their own services; Legal Basis: Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).
• Facebook Plugins and Content: Facebook Social Plugins and Content – ​​This may include, for example, content such as images, videos, or text, as well as buttons that allow users to share content from this online offering within Facebook. A list of Facebook Social Plugins, along with their appearance, can be viewed here: https://developers.facebook.com/docs/plugins/. Together with Meta Platforms Ireland Limited, we are jointly responsible for the collection or receipt (via transmission)—though not for the subsequent processing—of “Event Data” that Facebook collects (or receives via transmission) through the Facebook Social Plugins (and content embedding functions) executed on our online offering, for the following purposes: a) Displaying content and advertising information that aligns with the presumed interests of users; b) Delivering commercial and transaction-related messages (e.g., contacting users via Facebook Messenger); c) Improving ad delivery and personalizing features and content (e.g., improving the identification of which content or advertising information likely aligns with users’ interests). We have entered into a specific agreement with Facebook (the “Controller Addendum,” https://www.facebook.com/legal/controller_addendum), which specifically stipulates the security measures that Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to fulfill the rights of data subjects (i.e., users may, for example, direct requests for information or deletion requests directly to Facebook). Note: If Facebook provides us with metrics, analytics, and reports (which are aggregated—i.e., contain no information regarding individual users and are anonymous to us), this processing does not take place within the framework of joint controllership, but rather on the basis of a data processing agreement (the “Data Processing Terms,” ​​https://www.facebook.com/legal/terms/dataprocessing) and the “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_terms), as well as—with regard to processing in the USA—on the basis of Standard Contractual Clauses (the “Facebook EU Data Transfer Addendum,” https://www.facebook.com/legal/EU_data_transfer_addendum). Users’ rights (specifically regarding access, deletion, objection, and lodging a complaint with the competent supervisory authority) are not restricted by the agreements with Facebook; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Consent (Art. 6 para. 1 lit. a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy. Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF).
• Google Fonts (Hosted on Our Own Server): Provision of font files to ensure a user-friendly presentation of our online offering; Service Provider: The Google Fonts are hosted on our own server; no data is transmitted to Google; Legal Basis: Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).
• Font Awesome (Self-hosted): Display of fonts and icons; Service Provider: The Font Awesome icons are hosted on our server; no data is transmitted to the provider of Font Awesome; Legal Basis: Legitimate interests (Art. 6 para. 1 lit. f) GDPR).
• Instagram Plugins and Content: Instagram Plugins and Content – ​​This may include, for example, content such as images, videos, or text, as well as buttons that allow users to share content from this online offering within Instagram. – Together with Meta Platforms Ireland Limited, we are jointly responsible for the collection or receipt (via transmission)—though not for the subsequent processing—of “Event Data” that Facebook collects or receives via transmission through Instagram features (e.g., content embedding functions) executed on our online offering, for the following purposes: a) The display of content and advertising information that aligns with the presumed interests of users; b) The delivery of commercial and transaction-related messages (e.g., contacting users via Facebook Messenger); c) The improvement of ad delivery and the personalization of features and content (e.g., improving the identification of which content or advertising information likely aligns with the interests of users). We have concluded a specific agreement with Facebook (the “Controller Addendum,” https://www.facebook.com/legal/controller_addendum), which specifically stipulates the security measures that Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to fulfill the rights of data subjects (i.e., users may, for example, address requests for information or deletion directly to Facebook). Note: If Facebook provides us with metrics, analytics, and reports (which are aggregated—i.e., contain no information regarding individual users and are anonymous to us), this processing does not take place within the framework of joint controllership, but rather on the basis of a data processing agreement (the “Data Processing Terms,” ​​https://www.facebook.com/legal/terms/dataprocessing), the “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_terms), and—with regard to processing in the USA—on the basis of Standard Contractual Clauses (the “Facebook EU Data Transfer Addendum,” https://www.facebook.com/legal/EU_data_transfer_addendum). Users’ rights (specifically the rights to access, erasure, objection, and to lodge a complaint with the competent supervisory authority) are not restricted by the agreements with Facebook; Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Bases: Legitimate interests (Art. 6 para. 1 lit. f) GDPR); Website: https://www.instagram.com. Privacy Policy: https://instagram.com/about/legal/privacy.
• YouTube Videos: Video content; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate interests (Art. 6 para. 1 lit. f) GDPR); Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF). Opt-Out Option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for ad display: https://adssettings.google.com/authenticated.
• YouTube Videos: Video Content; YouTube videos are embedded using a specific domain (recognizable by the “youtube-nocookie” component) in the so-called “Enhanced Privacy Mode,” which prevents the collection of cookies regarding user activity for the purpose of personalizing video playback. Nevertheless, information regarding user interaction with the video (e.g., remembering the last playback position) may be stored; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f) GDPR); Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy. Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF).
• Vimeo Video Player: Video Content – ​​Vimeo’s embeddable video player uses
  first-party cookies that we consider essential to the video player experience.
  We do not use third-party analytics or advertising cookies
  when our video player is displayed on a third-party website, unless
  (i) the website visitor is logged into their Vimeo account and (ii) the
  user who embedded the video has not implemented the DNT
  parameter. Please note that a third-party website
  may place its own cookies. We have no control over
  third-party websites or the cookies they set;
  Service Provider: Vimeo Inc., Attention: Legal Department, 555 West 18th Street, New York, New York 10011, USA; Legal Basis: Legitimate Interests (Art. 6 para. 1 lit. f) GDPR); Website: https://vimeo.com; Privacy Policy: https://vimeo.com/privacy; Data Processing Agreement: https://vimeo.com/enterpriseterms/dpa. Basis for Third-Country Transfer: Standard Contractual Clauses (https://vimeo.com/enterpriseterms/dpa).

Modification and update of the privacy policy

We ask that you regularly review the content of our Privacy Policy. We update the Privacy Policy whenever changes to our data processing activities make this necessary. We will inform you whenever such changes require an action on your part (e.g., providing consent) or necessitate any other individual notification.

Insofar as we provide addresses and contact information for companies and organizations in this Privacy Policy, we ask you to note that these addresses may change over time; we therefore request that you verify this information before making contact.

Definitions of terms

In this section, you will find an overview of the terms used in this Privacy Policy. Insofar as these terms are defined by law, their statutory definitions apply. The following explanations, however, are intended primarily to facilitate understanding.

• Personal Data: “Personal Data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Profiles containing user-related information: The processing of “profiles containing user-related information”—or simply “profiles” for short—encompasses any form of automated processing of personal data that involves using such data to analyze, evaluate, or predict specific personal aspects relating to a natural person (depending on the nature of the profiling, this may include various types of information regarding demographics, behavior, and interests—such as interactions with websites and their content, etc.). Cookies and web beacons are frequently employed for profiling purposes.
• Controller: The term “Controller” refers to the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: “Processing” refers to any operation or set of operations performed on personal data, whether or not by automated means. The term is broad in scope and encompasses practically every form of data handling—be it collection, analysis, storage, transmission, or deletion.