Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

Last updated: May 9, 2026

Controller

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed

• Inventory data
• Payment data
• Contact data
• Content data
• Contract data
• Usage data
• Meta, communication and procedural data
• Log data

Categories of Data Subjects

• Service recipients and clients
• Prospective clients
• Communication partners
• Users
• Business and contractual partners

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations
• Communication
• Security measures
• Office and organizational procedures
• Organizational and administrative procedures
• Feedback
• Provision of our online offering and user-friendliness
• Information technology infrastructure
• Business processes and economic procedures

Applicable Legal Bases

Applicable legal bases under the GDPR: The following is an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile.

• Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR) — Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject.
• Legal obligation (Art. 6(1)(c) GDPR) — Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6(1)(f) GDPR) — Processing is necessary to protect the legitimate interests of the controller or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not prevail.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

These measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, availability assurance and separation. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data and responses to data threats.

Securing online connections through TLS/SSL encryption (HTTPS): To protect the data of users transmitted through our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user's browser, thereby protecting the data from unauthorized access.

Transmission of Personal Data

In the course of our processing of personal data, it may happen that the data is transmitted to or disclosed to other entities, companies, legally independent organizational units or persons. Recipients of this data may include, for example, service providers entrusted with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and in particular conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

International Data Transfers

Data processing in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or the disclosure or transfer of data to other persons, entities or companies, this is always done in accordance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the EU Commission on July 10, 2023. Additionally, we have concluded Standard Contractual Clauses with the respective providers that comply with the requirements of the EU Commission and establish contractual obligations to protect your data.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal provisions as soon as the underlying consents are revoked or no further legal grounds for processing exist. This applies to cases where the original processing purpose ceases to apply or the data is no longer needed.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal prosecution or the protection of the rights of other natural or legal persons must be archived accordingly.

Data retention and deletion: The following general deadlines apply to retention and archiving under German law:

• 10 years — Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets and related documents (§ 147(1)(1) in conjunction with (3) AO, § 14b(1) UStG, § 257(1)(1) in conjunction with (4) HGB).
• 8 years — Accounting documents such as invoices and cost receipts (§ 147(1)(4) and (4a) in conjunction with (3)(1) AO and § 257(1)(4) in conjunction with (4) HGB).
• 6 years — Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents relevant for taxation (§ 147(1)(2)(3)(5) in conjunction with (3) AO, § 257(1)(2)(3) in conjunction with (4) HGB).
• 3 years — Data required to consider potential warranty and damages claims or similar contractual claims, stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

As a data subject, you are entitled to various rights under the GDPR, arising in particular from Articles 15 to 21 GDPR:

• Right to object: You have the right to object at any time to the processing of your personal data on grounds relating to your particular situation.
• Right to withdraw consent: You have the right to withdraw consent given at any time.
• Right of access: You have the right to obtain confirmation as to whether data is being processed and to access that data.
• Right to rectification: You have the right to request the completion or correction of your data.
• Right to erasure and restriction: You have the right to request the immediate deletion of your data or to request restriction of processing.
• Right to data portability: You have the right to receive your data in a structured, commonly used and machine-readable format.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data violates the GDPR.

Business Services

We process personal data of our contractual and business partners, such as customers, clients, prospective clients, suppliers and other cooperation partners (collectively "contractual partners"), for the initiation, execution and settlement of contractual relationships and comparable legal relationships.

The processing serves in particular the fulfillment of our main and ancillary contractual obligations. Which data is required in individual cases is communicated to the contractual partners as part of data collection, for example in online forms through appropriate labeling or in personal contact.

Data is deleted as soon as it is no longer required for the aforementioned purposes and no statutory retention obligations prevent deletion.

• Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Provision of Online Offering and Web Hosting

We process user data to provide our online services. For this purpose, we process the user's IP address, which is necessary to deliver the content and functions of our online services to the user's browser or device.

• Provision of online offering on rented storage space:For the provision of our online offering, we use storage space, computing capacity and software that we rent from a corresponding server provider (also known as "web hoster").
• Collection of access data and log files:Access to our online offering is logged in the form of so-called "server log files." Server log files may include the address and name of the accessed web pages and files, date and time of access, transferred data volumes, notification of successful access, browser type and version, the user's operating system, referrer URL and, as a rule, IP addresses. Log file information is stored for a maximum of 30 days and then deleted or anonymized.
• Hetzner: Services in the area of providing information technology infrastructure and related services; Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Website: https://www.hetzner.com; Privacy policy: https://www.hetzner.com/de/rechtliches/datenschutz.

Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, phone or via social media) and in the context of existing user and business relationships, the information of the inquiring persons is processed insofar as this is necessary to answer the contact inquiries and any requested measures.

• Contact form: When contacting us via our contact form, email or other communication channels, we process the personal data transmitted to us for the purpose of answering and processing the respective inquiry. This typically includes information such as name, contact information and, where applicable, further information that is communicated to us and required for appropriate processing.

Changes and Updates

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require your participation (e.g., consent) or other individual notification.